OAuth 2.0 資源伺服器不透明令牌
內省的最小依賴項
如 JWT 的最小依賴項 中所述,大多數資源伺服器支援都收集在 spring-security-oauth2-resource-server 中。但是,除非您提供自定義的 ReactiveOpaqueTokenIntrospector,否則資源伺服器將回退到 SpringReactiveOpaqueTokenIntrospector。這意味著只有 spring-security-oauth2-resource-server 是構建一個支援不透明不記名令牌的最小工作資源伺服器所必需的。
內省的最小配置
通常,您可以使用由授權伺服器託管的 OAuth 2.0 內省端點 來驗證不透明令牌。當需要撤銷時,這會非常方便。
使用 Spring Boot 時,將應用程式配置為使用內省的資源伺服器包括兩個步驟
-
包含所需的依賴項。
-
指示內省端點詳細資訊。
指定授權伺服器
您可以指定內省端點的位置
spring:
security:
oauth2:
resourceserver:
opaquetoken:
introspection-uri: https://idp.example.com/introspect
client-id: client
client-secret: secret其中 idp.example.com/introspect 是由您的授權伺服器託管的內省端點,client-id 和 client-secret 是訪問該端點所需的憑據。
資源伺服器使用這些屬性進行進一步的自我配置,並隨後驗證傳入的 JWT。
|
如果授權伺服器響應令牌有效,則其有效。 |
執行時預期
應用程式啟動後,資源伺服器會嘗試處理任何包含 Authorization: Bearer 頭的請求
GET / HTTP/1.1
Authorization: Bearer some-token-value # Resource Server will process this只要指示了此方案,資源伺服器就會嘗試根據不記名令牌規範處理請求。
給定一個不透明令牌,資源伺服器會
-
使用提供的憑據和令牌查詢提供的內省端點。
-
檢查響應中是否存在
{ 'active' : true }屬性。 -
將每個範圍對映到具有
SCOPE_字首的許可權。
預設情況下,生成的 Authentication#getPrincipal 是一個 Spring Security OAuth2AuthenticatedPrincipal 物件,如果存在,Authentication#getName 對映到令牌的 sub 屬性。
從這裡,您可能想跳轉到
認證後查詢屬性
令牌認證後,SecurityContext 中會設定一個 BearerTokenAuthentication 例項。
這意味著當您在配置中使用 @EnableWebFlux 時,它在 @Controller 方法中可用
-
Java
-
Kotlin
@GetMapping("/foo")
public Mono<String> foo(BearerTokenAuthentication authentication) {
return Mono.just(authentication.getTokenAttributes().get("sub") + " is the subject");
}@GetMapping("/foo")
fun foo(authentication: BearerTokenAuthentication): Mono<String> {
return Mono.just(authentication.tokenAttributes["sub"].toString() + " is the subject")
}由於 BearerTokenAuthentication 包含一個 OAuth2AuthenticatedPrincipal,這也意味著它也適用於控制器方法
-
Java
-
Kotlin
@GetMapping("/foo")
public Mono<String> foo(@AuthenticationPrincipal OAuth2AuthenticatedPrincipal principal) {
return Mono.just(principal.getAttribute("sub") + " is the subject");
}@GetMapping("/foo")
fun foo(@AuthenticationPrincipal principal: OAuth2AuthenticatedPrincipal): Mono<String> {
return Mono.just(principal.getAttribute<Any>("sub").toString() + " is the subject")
}使用 SpEL 查詢屬性
您可以使用 Spring Expression Language (SpEL) 訪問屬性。
例如,如果您使用 @EnableReactiveMethodSecurity 以便可以使用 @PreAuthorize 註解,您可以這樣做
-
Java
-
Kotlin
@PreAuthorize("principal?.attributes['sub'] = 'foo'")
public Mono<String> forFoosEyesOnly() {
return Mono.just("foo");
}@PreAuthorize("principal.attributes['sub'] = 'foo'")
fun forFoosEyesOnly(): Mono<String> {
return Mono.just("foo")
}覆蓋或替換 Boot 自動配置
Spring Boot 為資源伺服器生成兩個 @Bean 例項。
第一個是 SecurityWebFilterChain,它將應用程式配置為資源伺服器。當您使用不透明令牌時,此 SecurityWebFilterChain 看起來像
-
Java
-
Kotlin
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange((authorize) -> authorize
.anyExchange().authenticated()
)
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)
return http.build();
}@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken { }
}
}
}如果應用程式未公開 SecurityWebFilterChain bean,Spring Boot 將公開預設 bean(如前面的清單所示)。
您可以透過在應用程式中公開 bean 來替換它
替換 SecurityWebFilterChain
-
Java
-
Kotlin
import static org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope;
@Configuration
@EnableWebFluxSecurity
public class MyCustomSecurityConfiguration {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange((authorize) -> authorize
.pathMatchers("/messages/**").access(hasScope("message:read"))
.anyExchange().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
.opaqueToken((opaqueToken) -> opaqueToken
.introspector(myIntrospector())
)
);
return http.build();
}
}import org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize("/messages/**", hasScope("message:read"))
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspector = myIntrospector()
}
}
}
}前面的示例要求任何以 /messages/ 開頭的 URL 具有 message:read 範圍。
oauth2ResourceServer DSL 上的方法也會覆蓋或替換自動配置。
例如,Spring Boot 建立的第二個 @Bean 是 ReactiveOpaqueTokenIntrospector,它將 String 令牌解碼為經過驗證的 OAuth2AuthenticatedPrincipal 例項
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
.clientId(clientId).clientSecret(clientSecret).build();
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
.clientId(clientId).clientSecret(clientSecret).build()
}如果應用程式未公開 ReactiveOpaqueTokenIntrospector bean,Spring Boot 將公開預設的 bean(如前面的清單所示)。
您可以透過使用 introspectionUri() 和 introspectionClientCredentials() 來覆蓋其配置,或者透過使用 introspector() 來替換它。
使用 introspectionUri()
您可以將授權伺服器的內省 URI 配置為配置屬性,或者您可以在 DSL 中提供
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class DirectlyConfiguredIntrospectionUri {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange((authorize) -> authorize
.anyExchange().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
.opaqueToken((opaqueToken) -> opaqueToken
.introspectionUri("https://idp.example.com/introspect")
.introspectionClientCredentials("client", "secret")
)
);
return http.build();
}
}@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspectionUri = "https://idp.example.com/introspect"
introspectionClientCredentials("client", "secret")
}
}
}
}使用 introspectionUri() 優先於任何配置屬性。
使用 introspector()
introspector() 比 introspectionUri() 更強大。它完全替換了 ReactiveOpaqueTokenIntrospector 的任何 Boot 自動配置
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class DirectlyConfiguredIntrospector {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange((authorize) -> authorize
.anyExchange().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
.opaqueToken((opaqueToken) -> opaqueToken
.introspector(myCustomIntrospector())
)
);
return http.build();
}
}@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspector = myCustomIntrospector()
}
}
}
}公開 ReactiveOpaqueTokenIntrospector @Bean
或者,公開 ReactiveOpaqueTokenIntrospector @Bean 與 introspector() 具有相同的效果
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
.clientId(clientId).clientSecret(clientSecret).build()
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
.clientId(clientId).clientSecret(clientSecret).build()
}配置授權
OAuth 2.0 內省端點通常返回一個 scope 屬性,指示其已被授予的範圍(或許可權)——例如
{ ..., "scope" : "messages contacts"}在這種情況下,資源伺服器嘗試將這些範圍強制轉換為授予許可權列表,並在每個範圍前加上字串:SCOPE_。
這意味著,要使用從不透明令牌派生的範圍保護端點或方法,相應的表示式應包含此字首
-
Java
-
Kotlin
import static org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope;
@Configuration
@EnableWebFluxSecurity
public class MappedAuthorities {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange((authorize) -> authorize
.pathMatchers("/contacts/**").access(hasScope("contacts"))
.pathMatchers("/messages/**").access(hasScope("messages"))
.anyExchange().authenticated()
)
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken);
return http.build();
}
}import org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize("/contacts/**", hasScope("contacts"))
authorize("/messages/**", hasScope("messages"))
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken { }
}
}
}您可以使用方法安全做類似的事情
-
Java
-
Kotlin
@PreAuthorize("hasAuthority('SCOPE_messages')")
public Flux<Message> getMessages(...) {}@PreAuthorize("hasAuthority('SCOPE_messages')")
fun getMessages(): Flux<Message> { }手動提取許可權
預設情況下,不透明令牌支援從內省響應中提取範圍宣告,並將其解析為單獨的 GrantedAuthority 例項。
考慮以下示例
{
"active" : true,
"scope" : "message:read message:write"
}如果內省響應如前面的示例所示,資源伺服器將生成一個具有兩個許可權的 Authentication,一個用於 message:read,另一個用於 message:write。
您可以透過使用自定義 ReactiveOpaqueTokenIntrospector 來定製行為,該內省器檢視屬性集並以自己的方式進行轉換
-
Java
-
Kotlin
public class CustomAuthoritiesOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build();
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return this.delegate.introspect(token)
.map((principal) -> principal DefaultOAuth2AuthenticatedPrincipal(
principal.getName(), principal.getAttributes(), extractAuthorities(principal)));
}
private Collection<GrantedAuthority> extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
List<String> scopes = principal.getAttribute(OAuth2IntrospectionClaimNames.SCOPE);
return scopes.stream()
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
}
}class CustomAuthoritiesOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build()
override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
return delegate.introspect(token)
.map { principal: OAuth2AuthenticatedPrincipal ->
DefaultOAuth2AuthenticatedPrincipal(
principal.name, principal.attributes, extractAuthorities(principal))
}
}
private fun extractAuthorities(principal: OAuth2AuthenticatedPrincipal): Collection<GrantedAuthority> {
val scopes = principal.getAttribute<List<String>>(OAuth2IntrospectionClaimNames.SCOPE)
return scopes
.map { SimpleGrantedAuthority(it) }
}
}此後,您可以透過將其公開為 @Bean 來配置此自定義內省器
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return new CustomAuthoritiesOpaqueTokenIntrospector();
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return CustomAuthoritiesOpaqueTokenIntrospector()
}結合 JWT 使用內省
一個常見問題是內省是否與 JWT 相容。Spring Security 的不透明令牌支援旨在不關心令牌的格式。它樂意將任何令牌傳遞給提供的內省端點。
因此,假設您需要在每個請求中與授權伺服器進行檢查,以防 JWT 已被撤銷。
即使您使用 JWT 格式的令牌,您的驗證方法是內省,這意味著您需要這樣做
spring:
security:
oauth2:
resourceserver:
opaquetoken:
introspection-uri: https://idp.example.org/introspection
client-id: client
client-secret: secret在這種情況下,生成的 Authentication 將是 BearerTokenAuthentication。相應 OAuth2AuthenticatedPrincipal 中的任何屬性都將是內省端點返回的任何內容。
但是,假設由於某種原因,內省端點只返回令牌是否活動。現在怎麼辦?
在這種情況下,您可以建立一個自定義的 ReactiveOpaqueTokenIntrospector,它仍然會命中端點,但隨後會更新返回的主體以將 JWT 的宣告作為屬性
-
Java
-
Kotlin
public class JwtOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build();
private ReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(new ParseOnlyJWTProcessor());
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return this.delegate.introspect(token)
.flatMap((principal) -> principal.jwtDecoder.decode(token))
.map((jwt) -> jwt DefaultOAuth2AuthenticatedPrincipal(jwt.getClaims(), NO_AUTHORITIES));
}
private static class ParseOnlyJWTProcessor implements Converter<JWT, Mono<JWTClaimsSet>> {
public Mono<JWTClaimsSet> convert(JWT jwt) {
try {
return Mono.just(jwt.getJWTClaimsSet());
} catch (Exception ex) {
return Mono.error(ex);
}
}
}
}class JwtOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build()
private val jwtDecoder: ReactiveJwtDecoder = NimbusReactiveJwtDecoder(ParseOnlyJWTProcessor())
override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
return delegate.introspect(token)
.flatMap { jwtDecoder.decode(token) }
.map { jwt: Jwt -> DefaultOAuth2AuthenticatedPrincipal(jwt.claims, NO_AUTHORITIES) }
}
private class ParseOnlyJWTProcessor : Converter<JWT, Mono<JWTClaimsSet>> {
override fun convert(jwt: JWT): Mono<JWTClaimsSet> {
return try {
Mono.just(jwt.jwtClaimsSet)
} catch (e: Exception) {
Mono.error(e)
}
}
}
}此後,您可以透過將其公開為 @Bean 來配置此自定義內省器
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return new JwtOpaqueTokenIntropsector();
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return JwtOpaqueTokenIntrospector()
}呼叫 /userinfo 端點
一般來說,資源伺服器不關心底層使用者,而是關心已授予的許可權。
也就是說,有時將授權語句與使用者關聯起來可能很有價值。
如果應用程式也使用 spring-security-oauth2-client,並且設定了適當的 ClientRegistrationRepository,您可以使用自定義的 OpaqueTokenIntrospector 來實現。下一個清單中的實現執行三件事
-
委託給內省端點,以確認令牌的有效性。
-
查詢與
/userinfo端點關聯的適當客戶端註冊。 -
呼叫並返回
/userinfo端點的響應。
-
Java
-
Kotlin
public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private final ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build();
private final ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService =
new DefaultReactiveOAuth2UserService();
private final ReactiveClientRegistrationRepository repository;
// ... constructor
@Override
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return Mono.zip(this.delegate.introspect(token), this.repository.findByRegistrationId("registration-id"))
.map(t -> {
OAuth2AuthenticatedPrincipal authorized = t.getT1();
ClientRegistration clientRegistration = t.getT2();
Instant issuedAt = authorized.getAttribute(ISSUED_AT);
Instant expiresAt = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT);
OAuth2AccessToken accessToken = new OAuth2AccessToken(BEARER, token, issuedAt, expiresAt);
return new OAuth2UserRequest(clientRegistration, accessToken);
})
.flatMap(this.oauth2UserService::loadUser);
}
}class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build()
private val oauth2UserService: ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> = DefaultReactiveOAuth2UserService()
private val repository: ReactiveClientRegistrationRepository? = null
// ... constructor
override fun introspect(token: String?): Mono<OAuth2AuthenticatedPrincipal> {
return Mono.zip<OAuth2AuthenticatedPrincipal, ClientRegistration>(delegate.introspect(token), repository!!.findByRegistrationId("registration-id"))
.map<OAuth2UserRequest> { t: Tuple2<OAuth2AuthenticatedPrincipal, ClientRegistration> ->
val authorized = t.t1
val clientRegistration = t.t2
val issuedAt: Instant? = authorized.getAttribute(ISSUED_AT)
val expiresAt: Instant? = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT)
val accessToken = OAuth2AccessToken(BEARER, token, issuedAt, expiresAt)
OAuth2UserRequest(clientRegistration, accessToken)
}
.flatMap { userRequest: OAuth2UserRequest -> oauth2UserService.loadUser(userRequest) }
}
}如果您不使用 spring-security-oauth2-client,它仍然非常簡單。您只需要使用自己的 WebClient 例項呼叫 /userinfo
-
Java
-
Kotlin
public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private final ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build();
private final WebClient rest = WebClient.create();
@Override
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return this.delegate.introspect(token)
.map(this::makeUserInfoRequest);
}
}class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
.withIntrospectionUri("https://idp.example.org/introspect")
.clientId("client").clientSecret("secret").build()
private val rest: WebClient = WebClient.create()
override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
return delegate.introspect(token)
.map(this::makeUserInfoRequest)
}
}無論哪種方式,在建立了 ReactiveOpaqueTokenIntrospector 之後,您都應該將其釋出為 @Bean 以覆蓋預設值
-
Java
-
Kotlin
@Bean
ReactiveOpaqueTokenIntrospector introspector() {
return new UserInfoOpaqueTokenIntrospector();
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return UserInfoOpaqueTokenIntrospector()
}
