OAuth 2.0 持有者令牌
持有者令牌解析
預設情況下,資源伺服器會在 Authorization 頭中查詢持有者令牌。然而,可以透過多種方式進行自定義。
從自定義頭中讀取持有者令牌
例如,您可能需要從自定義頭中讀取持有者令牌。為此,您可以將 DefaultBearerTokenResolver 暴露為一個 bean,或將其例項注入到 DSL 中,如下例所示
自定義持有者令牌頭
-
Java
-
Kotlin
-
Xml
@Bean
BearerTokenResolver bearerTokenResolver() {
DefaultBearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
bearerTokenResolver.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION);
return bearerTokenResolver;
}@Bean
fun bearerTokenResolver(): BearerTokenResolver {
val bearerTokenResolver = DefaultBearerTokenResolver()
bearerTokenResolver.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION)
return bearerTokenResolver
}<http>
<oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver"/>
</http>
<bean id="bearerTokenResolver"
class="org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver">
<property name="bearerTokenHeaderName" value="Proxy-Authorization"/>
</bean>或者,在提供者同時使用自定義頭和值的情況下,您可以使用 HeaderBearerTokenResolver 代替。
從表單引數中讀取持有者令牌
或者,您可能希望從表單引數中讀取令牌,這可以透過配置 DefaultBearerTokenResolver 來實現,如下所示
表單引數持有者令牌
-
Java
-
Kotlin
-
Xml
DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
resolver.setAllowFormEncodedBodyParameter(true);
http
.oauth2ResourceServer(oauth2 -> oauth2
.bearerTokenResolver(resolver)
);val resolver = DefaultBearerTokenResolver()
resolver.setAllowFormEncodedBodyParameter(true)
http {
oauth2ResourceServer {
bearerTokenResolver = resolver
}
}<http>
<oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver"/>
</http>
<bean id="bearerTokenResolver"
class="org.springframework.security.oauth2.server.resource.web.HeaderBearerTokenResolver">
<property name="allowFormEncodedBodyParameter" value="true"/>
</bean>持有者令牌傳播
現在您的資源伺服器已經驗證了令牌,將其傳遞給下游服務可能會很方便。使用 ServletBearerExchangeFilterFunction 可以非常簡單地實現這一點,如下例所示
-
Java
-
Kotlin
@Bean
public WebClient rest() {
return WebClient.builder()
.filter(new ServletBearerExchangeFilterFunction())
.build();
}@Bean
fun rest(): WebClient {
return WebClient.builder()
.filter(ServletBearerExchangeFilterFunction())
.build()
}當使用上面的 WebClient 執行請求時,Spring Security 將查詢當前的 Authentication 並提取任何 AbstractOAuth2Token 憑據。然後,它會將該令牌在 Authorization 頭中傳播。
例如
-
Java
-
Kotlin
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.retrieve()
.bodyToMono(String.class)
.block()this.rest.get()
.uri("https://other-service.example.com/endpoint")
.retrieve()
.bodyToMono<String>()
.block()將呼叫 other-service.example.com/endpoint,併為您新增持有者令牌的 Authorization 頭。
在需要覆蓋此行為的地方,只需自己提供頭即可,如下所示
-
Java
-
Kotlin
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.headers(headers -> headers.setBearerAuth(overridingToken))
.retrieve()
.bodyToMono(String.class)
.block()this.rest.get()
.uri("https://other-service.example.com/endpoint")
.headers{ headers -> headers.setBearerAuth(overridingToken)}
.retrieve()
.bodyToMono<String>()
.block()在這種情況下,過濾器將回退並簡單地將請求轉發到 Web 過濾器鏈的其餘部分。
| 與 OAuth 2.0 Client 過濾器函式不同,此過濾器函式在令牌過期時不會嘗試續訂令牌。要獲得此級別的支援,請使用 OAuth 2.0 Client 過濾器。 |
RestTemplate 支援
目前沒有 ServletBearerExchangeFilterFunction 的 RestTemplate 等效項,但是您可以透過自己的攔截器非常簡單地傳播請求的持有者令牌
-
Java
-
Kotlin
@Bean
RestTemplate rest() {
RestTemplate rest = new RestTemplate();
rest.getInterceptors().add((request, body, execution) -> {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
return execution.execute(request, body);
}
if (!(authentication.getCredentials() instanceof AbstractOAuth2Token)) {
return execution.execute(request, body);
}
AbstractOAuth2Token token = (AbstractOAuth2Token) authentication.getCredentials();
request.getHeaders().setBearerAuth(token.getTokenValue());
return execution.execute(request, body);
});
return rest;
}@Bean
fun rest(): RestTemplate {
val rest = RestTemplate()
rest.interceptors.add(ClientHttpRequestInterceptor { request, body, execution ->
val authentication: Authentication? = SecurityContextHolder.getContext().authentication
if (authentication == null) {
return execution.execute(request, body)
}
if (authentication.credentials !is AbstractOAuth2Token) {
return execution.execute(request, body)
}
request.headers.setBearerAuth(authentication.credentials.tokenValue)
execution.execute(request, body)
})
return rest
}| 與 OAuth 2.0 Authorized Client Manager 不同,此過濾器攔截器在令牌過期時不會嘗試續訂令牌。要獲得此級別的支援,請使用 OAuth 2.0 Authorized Client Manager 建立一個攔截器。 |
持有者令牌故障
持有者令牌可能由於多種原因而無效。例如,令牌可能不再處於活動狀態。
在這些情況下,資源伺服器會丟擲 InvalidBearerTokenException。與其他異常一樣,這會產生 OAuth 2.0 持有者令牌錯誤響應
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error_code="invalid_token", error_description="Unsupported algorithm of none", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"此外,它還會作為 AuthenticationFailureBadCredentialsEvent 釋出,您可以像這樣在您的應用程式中監聽它
-
Java
-
Kotlin
@Component
public class FailureEvents {
@EventListener
public void onFailure(AuthenticationFailureBadCredentialsEvent badCredentials) {
if (badCredentials.getAuthentication() instanceof BearerTokenAuthenticationToken) {
// ... handle
}
}
}@Component
class FailureEvents {
@EventListener
fun onFailure(badCredentials: AuthenticationFailureBadCredentialsEvent) {
if (badCredentials.authentication is BearerTokenAuthenticationToken) {
// ... handle
}
}
}
