OAuth 2.0 客戶端
OAuth 2.0 客戶端特性提供了對OAuth 2.0 授權框架中定義的客戶端角色的支援。
概括來說,核心特性包括:
客戶端認證支援
HTTP 客戶端支援(用於請求受保護資源)
`HttpSecurity.oauth2Client()` DSL 提供了一系列配置選項,用於自定義 OAuth 2.0 客戶端使用的核心元件。此外,`HttpSecurity.oauth2Client().authorizationCodeGrant()` 啟用了對授權碼許可型別的自定義。
以下程式碼展示了 `HttpSecurity.oauth2Client()` DSL 提供的完整配置選項:
OAuth2 客戶端配置選項
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Client(oauth2 -> oauth2
.clientRegistrationRepository(this.clientRegistrationRepository())
.authorizedClientRepository(this.authorizedClientRepository())
.authorizedClientService(this.authorizedClientService())
.authorizationCodeGrant(codeGrant -> codeGrant
.authorizationRequestRepository(this.authorizationRequestRepository())
.authorizationRequestResolver(this.authorizationRequestResolver())
.accessTokenResponseClient(this.accessTokenResponseClient())
)
);
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2ClientSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Client {
clientRegistrationRepository = clientRegistrationRepository()
authorizedClientRepository = authorizedClientRepository()
authorizedClientService = authorizedClientService()
authorizationCodeGrant {
authorizationRequestRepository = authorizationRequestRepository()
authorizationRequestResolver = authorizationRequestResolver()
accessTokenResponseClient = accessTokenResponseClient()
}
}
}
return http.build()
}
}除了 `HttpSecurity.oauth2Client()` DSL 外,還支援 XML 配置。
以下程式碼展示了security 名稱空間中可用的完整配置選項:
OAuth2 客戶端 XML 配置選項
<http>
<oauth2-client client-registration-repository-ref="clientRegistrationRepository"
authorized-client-repository-ref="authorizedClientRepository"
authorized-client-service-ref="authorizedClientService">
<authorization-code-grant
authorization-request-repository-ref="authorizationRequestRepository"
authorization-request-resolver-ref="authorizationRequestResolver"
access-token-response-client-ref="accessTokenResponseClient"/>
</oauth2-client>
</http>`OAuth2AuthorizedClientManager` 負責管理 OAuth 2.0 客戶端的授權(或重新授權),並與一個或多個 `OAuth2AuthorizedClientProvider` 協同工作。
以下程式碼展示瞭如何註冊 `OAuth2AuthorizedClientManager` 的 `@Bean` 示例,並將其與支援 `authorization_code`、`refresh_token`、`client_credentials` 和 `password` 授權許可型別的 `OAuth2AuthorizedClientProvider` 組合關聯起來:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val authorizedClientProvider: OAuth2AuthorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}
