# OAuth2.0资源服务器不透明令牌
## 用于自省的最小依赖项
如[JWT的最小依赖项](jwt.html#oauth2resourceserver-jwt-minimaldependencies)中所描述的,大多数资源服务器的支持都是在`spring-security-oauth2-resource-server`中收集的。但是,除非提供了自定义[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-opaque-introspector),否则资源服务器将退回到NimbusOpaquetokenintrospector。这意味着`spring-security-oauth2-resource-server`和`oauth2-oidc-sdk`都是必需的,以便拥有支持不透明承载令牌的工作最小资源服务器。请参阅`spring-security-oauth2-resource-server`以确定`oauth2-oidc-sdk`的正确版本。
## 用于内省的最小配置
通常,可以通过由授权服务器托管的[OAuth2.0内省终点](https://tools.ietf.org/html/rfc7662)来验证不透明令牌。当要求撤销时,这可能很方便。
当使用[Spring Boot](https://spring.io/projects/spring-boot)时,将应用程序配置为使用内省的资源服务器包括两个基本步骤。首先,包括所需的依赖关系,其次,指示内省端点细节。
### 指定授权服务器
要指定内省端点的位置,只需执行以下操作:
```
security:
oauth2:
resourceserver:
opaque-token:
introspection-uri: https://idp.example.com/introspect
client-id: client
client-secret: secret
```
其中`[https://idp.example.com/introspect](https://idp.example.com/introspect)`是由授权服务器托管的内省端点,`client-id`和`client-secret`是达到该端点所需的凭据。
Resource Server将使用这些属性进一步自我配置,并随后验证传入的JWTS。
| |在使用内省时,授权服务器的单词是law。
如果授权服务器响应令牌是有效的,那么它是有效的。|
|---|----------------------------------------------------------------------------------------------------------------------------------------------------|
就这样!
### 创业期望
当使用此属性和这些依赖项时,Resource Server将自动配置自身以验证不透明承载令牌。
这个启动过程比JWTS简单得多,因为不需要发现端点,也不需要添加额外的验证规则。
### 运行时期望
一旦启动应用程序,Resource Server将尝试处理任何包含`Authorization: Bearer`报头的请求:
```
GET / HTTP/1.1
Authorization: Bearer some-token-value # Resource Server will process this
```
只要表明了该方案,资源服务器就会尝试根据承载令牌规范来处理请求。
给定一个不透明的令牌,资源服务器将
1. 使用提供的凭据和令牌查询提供的内省端点
2. 检查`{ 'active' : true }`属性的响应
3. 将每个作用域映射到一个前缀`SCOPE_`的权限
默认情况下,生成的`Authentication#getPrincipal`是 Spring security`[OAuth2AuthenticatedPrincipal](https://docs.spring.io/spring-security/site/docs/5.6.2/api/org/springframework/security/oauth2/core/OAuth2AuthenticatedPrincipal.html)`对象,并且`Authentication#getName`映射到令牌的`sub`属性(如果存在)。
从这里,你可能想跳转到:
* [不透明令牌身份验证的工作方式](#oauth2resourceserver-opaque-architecture)
* [身份验证后查找属性](#oauth2resourceserver-opaque-attributes)
* [手动提取权限](#oauth2resourceserver-opaque-authorization-extraction)
* [使用JWTS进行内省](#oauth2resourceserver-opaque-jwt-introspector)
## 不透明令牌身份验证的工作方式
接下来,让我们看看 Spring Security在基于 Servlet 的应用程序中支持[不透明令牌](https://tools.ietf.org/html/rfc7662)身份验证所使用的体系结构组件,就像我们刚才看到的那样。
[`OpaqueTokenAuthenticationProvider`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/oauth2/server/resource/authentication/opaquetokenauthenticationprovider.html)是一种[`AuthenticationProvider`](././../././////./authentification/architection.html.html# Servlet-authentification-authentification-authentication provider)实现,利用不透明的[("sub").toString() + " is the subject"
}
```
### 通过SPEL查找属性
当然,这也意味着可以通过SPEL访问属性。
例如,如果使用`@EnableGlobalMethodSecurity`使你可以使用`@PreAuthorize`注释,则可以这样做:
Java
```
@PreAuthorize("principal?.attributes['sub'] == 'foo'")
public String forFoosEyesOnly() {
return "foo";
}
```
Kotlin
```
@PreAuthorize("principal?.attributes['sub'] == 'foo'")
fun forFoosEyesOnly(): String {
return "foo"
}
```
## 覆盖或替换Boot Auto配置
有两个`@Bean`s, Spring boot代表资源服务器生成。
第一个是将应用程序配置为资源服务器的`WebSecurityConfigurerAdapter`。当使用不透明令牌时,这个`WebSecurityConfigurerAdapter`看起来像:
例1.默认不透明令牌配置
Java
```
protected void configure(HttpSecurity http) {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
}
```
Kotlin
```
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
opaqueToken { }
}
}
}
```
如果应用程序不公开`WebSecurityConfigurerAdapter` Bean,那么 Spring 引导将公开上面的默认引导。
替换它就像在应用程序中公开 Bean 一样简单:
例2.自定义不透明令牌配置
Java
```
@EnableWebSecurity
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaqueToken -> opaqueToken
.introspector(myIntrospector())
)
);
}
}
```
Kotlin
```
@EnableWebSecurity
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize("/messages/**", hasAuthority("SCOPE_message:read"))
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspector = myIntrospector()
}
}
}
}
}
```
对于任何以`/messages/`开头的URL,上述条件要求`message:read`的范围。
`oauth2ResourceServer`DSL上的方法也将覆盖或替换自动配置。
例如,第二个`@Bean` Spring 引导创建的是一个`OpaqueTokenIntrospector`,[它将`String`令牌解码为`OAuth2AuthenticatedPrincipal`的验证实例](#OAuth2Resourceserver-ope-architecture-introspector):
Java
```
@Bean
public OpaqueTokenIntrospector introspector() {
return new NimbusOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);
}
```
Kotlin
```
@Bean
fun introspector(): OpaqueTokenIntrospector {
return NimbusOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret)
}
```
如果应用程序不公开[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-opaque-architecture-introspector) Bean,那么 Spring 引导将公开上述默认的引导。
并且它的配置可以使用`introspectionUri()`和`introspectionClientCredentials()`进行重写,或者使用`introspector()`进行替换。
或者,如果你根本不使用 Spring boot,那么这两个组件-过滤器链和[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-Opaque-Architecture-Introspector)都可以用XML指定。
过滤链是这样指定的:
例3.默认不透明令牌配置
XML
```
```
[`OpaqueTokenIntrospector`](#OAuth2resourceserver-opaque-architecture-introspector)如下所示:
例4.不透明令牌内省器
XML
```
```
### `
可以配置授权服务器的内省URI[作为配置属性](#oauth2resourceserver-opaque-introspectionuri),也可以在DSL中提供它:
例5.内省URI配置
Java
```
@EnableWebSecurity
public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaqueToken -> opaqueToken
.introspectionUri("https://idp.example.com/introspect")
.introspectionClientCredentials("client", "secret")
)
);
}
}
```
Kotlin
```
@EnableWebSecurity
class DirectlyConfiguredIntrospectionUri : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspectionUri = "https://idp.example.com/introspect"
introspectionClientCredentials("client", "secret")
}
}
}
}
}
```
XML
```
```
使用`introspectionUri()`优先于任何配置属性。
### `
比`introspectionUri()`更强大的是`introspector()`,它将完全取代[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-opae-architecture-introspector)的任何引导自动配置:
例6.内省配置
Java
```
@EnableWebSecurity
public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaqueToken -> opaqueToken
.introspector(myCustomIntrospector())
)
);
}
}
```
Kotlin
```
@EnableWebSecurity
class DirectlyConfiguredIntrospector : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspector = myCustomIntrospector()
}
}
}
}
}
```
XML
```
```
当需要更深的配置时,比如[权限映射](#oauth2resourceserver-opaque-authorization-extraction)、[JWT撤销](#oauth2resourceserver-opaque-jwt-introspector)或[请求超时](#oauth2resourceserver-opaque-timeouts),这是很方便的。
### 曝光`OpaqueTokenIntrospector``@Bean`
或者,暴露一个[`OpaqueTokenIntrospector`](#OAuth2resourceserver-opae-architecture-introspector)`@Bean`具有与`introspector()`相同的效果:
```
@Bean
public OpaqueTokenIntrospector introspector() {
return new NimbusOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);
}
```
## 配置授权
OAuth2.0内省端点通常会返回一个`scope`属性,指示它被授予的作用域(或权限),例如:
`{ …, "scope" : "messages contacts"}`
在这种情况下,Resource Server将尝试强制将这些作用域放入一个已授予权限的列表中,并在每个作用域前加上字符串“scope\_”。
这意味着,要保护具有由不透明令牌派生的作用域的端点或方法,相应的表达式应该包括以下前缀:
例7.授权不透明令牌配置
Java
```
@EnableWebSecurity
public class MappedAuthorities extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeHttpRequests(authorizeRequests -> authorizeRequests
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
.mvcMatchers("/messages/**").hasAuthority("SCOPE_messages")
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
}
}
```
Kotlin
```
@EnableWebSecurity
class MappedAuthorities : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize("/contacts/**", hasAuthority("SCOPE_contacts"))
authorize("/messages/**", hasAuthority("SCOPE_messages"))
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
opaqueToken { }
}
}
}
}
```
XML
```
```
或类似于方法安全性:
Java
```
@PreAuthorize("hasAuthority('SCOPE_messages')")
public List getMessages(...) {}
```
Kotlin
```
@PreAuthorize("hasAuthority('SCOPE_messages')")
fun getMessages(): List {}
```
### 手动提取权限
默认情况下,不透明令牌支持将从内省响应中提取范围声明,并将其解析为单个`GrantedAuthority`实例。
例如,如果内省反应是:
```
{
"active" : true,
"scope" : "message:read message:write"
}
```
然后,资源服务器将生成一个带有两个权限的`Authentication`,一个用于`message:read`,另一个用于`message:write`。
当然,这可以使用自定义[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-Opaque-Architecture-Introspector)进行自定义,它查看属性集并以自己的方式进行转换:
Java
```
public class CustomAuthoritiesOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private OpaqueTokenIntrospector delegate =
new NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal principal = this.delegate.introspect(token);
return new DefaultOAuth2AuthenticatedPrincipal(
principal.getName(), principal.getAttributes(), extractAuthorities(principal));
}
private Collection extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
List scopes = principal.getAttribute(OAuth2IntrospectionClaimNames.SCOPE);
return scopes.stream()
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
}
}
```
Kotlin
```
class CustomAuthoritiesOpaqueTokenIntrospector : OpaqueTokenIntrospector {
private val delegate: OpaqueTokenIntrospector = NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
override fun introspect(token: String): OAuth2AuthenticatedPrincipal {
val principal: OAuth2AuthenticatedPrincipal = delegate.introspect(token)
return DefaultOAuth2AuthenticatedPrincipal(
principal.name, principal.attributes, extractAuthorities(principal))
}
private fun extractAuthorities(principal: OAuth2AuthenticatedPrincipal): Collection {
val scopes: List = principal.getAttribute(OAuth2IntrospectionClaimNames.SCOPE)
return scopes
.map { SimpleGrantedAuthority(it) }
}
}
```
在此之后,可以简单地将此自定义内省检测器配置为`@Bean`:
Java
```
@Bean
public OpaqueTokenIntrospector introspector() {
return new CustomAuthoritiesOpaqueTokenIntrospector();
}
```
Kotlin
```
@Bean
fun introspector(): OpaqueTokenIntrospector {
return CustomAuthoritiesOpaqueTokenIntrospector()
}
```
## 配置超时
默认情况下,Resource Server使用30秒的连接和套接字超时来与授权服务器进行协调。
在某些情况下,这可能太短了。此外,它没有考虑到更复杂的模式,比如后退和发现。
要调整资源服务器连接到授权服务器的方式,`NimbusOpaqueTokenIntrospector`接受`RestOperations`的实例:
Java
```
@Bean
public OpaqueTokenIntrospector introspector(RestTemplateBuilder builder, OAuth2ResourceServerProperties properties) {
RestOperations rest = builder
.basicAuthentication(properties.getOpaquetoken().getClientId(), properties.getOpaquetoken().getClientSecret())
.setConnectTimeout(Duration.ofSeconds(60))
.setReadTimeout(Duration.ofSeconds(60))
.build();
return new NimbusOpaqueTokenIntrospector(introspectionUri, rest);
}
```
Kotlin
```
@Bean
fun introspector(builder: RestTemplateBuilder, properties: OAuth2ResourceServerProperties): OpaqueTokenIntrospector? {
val rest: RestOperations = builder
.basicAuthentication(properties.opaquetoken.clientId, properties.opaquetoken.clientSecret)
.setConnectTimeout(Duration.ofSeconds(60))
.setReadTimeout(Duration.ofSeconds(60))
.build()
return NimbusOpaqueTokenIntrospector(introspectionUri, rest)
}
```
## 使用JWTS进行内省
一个常见的问题是,内省是否与JWTS兼容。 Spring Security的不透明令牌支持被设计成不关心令牌的格式——它将很乐意将任何令牌传递给所提供的内省端点。
所以,假设你有一个要求,要求你在每个请求上与授权服务器进行检查,以防JWT被撤销。
尽管你使用的是JWT格式的令牌,但你的验证方法是内省,这意味着你希望这样做:
```
spring:
security:
oauth2:
resourceserver:
opaque-token:
introspection-uri: https://idp.example.org/introspection
client-id: client
client-secret: secret
```
在这种情况下,得到的`Authentication`将是`BearerTokenAuthentication`。对应的`OAuth2AuthenticatedPrincipal`中的任何属性都将是内省端点返回的任何属性。
但是,让我们说,奇怪的是,内省端点只返回令牌是否处于活动状态。现在怎么办?
在这种情况下,你可以创建一个自定义的[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-opaque-architecture-introspector),它仍然会到达端点,但随后会更新返回的主体,使JWTS声明作为属性:
Java
```
public class JwtOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private OpaqueTokenIntrospector delegate =
new NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
private JwtDecoder jwtDecoder = new NimbusJwtDecoder(new ParseOnlyJWTProcessor());
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal principal = this.delegate.introspect(token);
try {
Jwt jwt = this.jwtDecoder.decode(token);
return new DefaultOAuth2AuthenticatedPrincipal(jwt.getClaims(), NO_AUTHORITIES);
} catch (JwtException ex) {
throw new OAuth2IntrospectionException(ex);
}
}
private static class ParseOnlyJWTProcessor extends DefaultJWTProcessor {
JWTClaimsSet process(SignedJWT jwt, SecurityContext context)
throws JOSEException {
return jwt.getJWTClaimsSet();
}
}
}
```
Kotlin
```
class JwtOpaqueTokenIntrospector : OpaqueTokenIntrospector {
private val delegate: OpaqueTokenIntrospector = NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
private val jwtDecoder: JwtDecoder = NimbusJwtDecoder(ParseOnlyJWTProcessor())
override fun introspect(token: String): OAuth2AuthenticatedPrincipal {
val principal = delegate.introspect(token)
return try {
val jwt: Jwt = jwtDecoder.decode(token)
DefaultOAuth2AuthenticatedPrincipal(jwt.claims, NO_AUTHORITIES)
} catch (ex: JwtException) {
throw OAuth2IntrospectionException(ex.message)
}
}
private class ParseOnlyJWTProcessor : DefaultJWTProcessor() {
override fun process(jwt: SignedJWT, context: SecurityContext): JWTClaimsSet {
return jwt.jwtClaimsSet
}
}
}
```
在此之后,可以简单地将此自定义内省检测器配置为`@Bean`:
Java
```
@Bean
public OpaqueTokenIntrospector introspector() {
return new JwtOpaqueTokenIntrospector();
}
```
Kotlin
```
@Bean
fun introspector(): OpaqueTokenIntrospector {
return JwtOpaqueTokenIntrospector()
}
```
## 调用`/userinfo`端点
一般来说,资源服务器并不关心底层用户,而是关心已被授予的权限。
话虽如此,有时将授权声明与用户绑定在一起可能是有价值的。
如果一个应用程序也在使用`spring-security-oauth2-client`,并且已经设置了适当的`ClientRegistrationRepository`,那么使用自定义[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-opae-Architecture-Introspector)就非常简单了。下面的实现做了三件事:
* 委托给内省端点,以确认令牌的有效性
* 查找与`/userinfo`端点关联的适当的客户端注册
* 调用并返回来自`/userinfo`端点的响应
Java
```
public class UserInfoOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private final OpaqueTokenIntrospector delegate =
new NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
private final OAuth2UserService oauth2UserService = new DefaultOAuth2UserService();
private final ClientRegistrationRepository repository;
// ... constructor
@Override
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal authorized = this.delegate.introspect(token);
Instant issuedAt = authorized.getAttribute(ISSUED_AT);
Instant expiresAt = authorized.getAttribute(EXPIRES_AT);
ClientRegistration clientRegistration = this.repository.findByRegistrationId("registration-id");
OAuth2AccessToken token = new OAuth2AccessToken(BEARER, token, issuedAt, expiresAt);
OAuth2UserRequest oauth2UserRequest = new OAuth2UserRequest(clientRegistration, token);
return this.oauth2UserService.loadUser(oauth2UserRequest);
}
}
```
Kotlin
```
class UserInfoOpaqueTokenIntrospector : OpaqueTokenIntrospector {
private val delegate: OpaqueTokenIntrospector = NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
private val oauth2UserService = DefaultOAuth2UserService()
private val repository: ClientRegistrationRepository? = null
// ... constructor
override fun introspect(token: String): OAuth2AuthenticatedPrincipal {
val authorized = delegate.introspect(token)
val issuedAt: Instant? = authorized.getAttribute(ISSUED_AT)
val expiresAt: Instant? = authorized.getAttribute(EXPIRES_AT)
val clientRegistration: ClientRegistration = repository!!.findByRegistrationId("registration-id")
val accessToken = OAuth2AccessToken(BEARER, token, issuedAt, expiresAt)
val oauth2UserRequest = OAuth2UserRequest(clientRegistration, accessToken)
return oauth2UserService.loadUser(oauth2UserRequest)
}
}
```
如果你AREN不使用`spring-security-oauth2-client`,它仍然很简单。你只需要用你自己的`WebClient`实例调用`/userinfo`:
Java
```
public class UserInfoOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private final OpaqueTokenIntrospector delegate =
new NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
private final WebClient rest = WebClient.create();
@Override
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal authorized = this.delegate.introspect(token);
return makeUserInfoRequest(authorized);
}
}
```
Kotlin
```
class UserInfoOpaqueTokenIntrospector : OpaqueTokenIntrospector {
private val delegate: OpaqueTokenIntrospector = NimbusOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
private val rest: WebClient = WebClient.create()
override fun introspect(token: String): OAuth2AuthenticatedPrincipal {
val authorized = delegate.introspect(token)
return makeUserInfoRequest(authorized)
}
}
```
无论哪种方式,在创建了你的[`OpaqueTokenIntrospector`](#OAuth2Resourceserver-opaque-architecture-introspector)之后,你应该将其发布为`@Bean`以覆盖缺省值:
Java
```
@Bean
OpaqueTokenIntrospector introspector() {
return new UserInfoOpaqueTokenIntrospector(...);
}
```
Kotlin
```
@Bean
fun introspector(): OpaqueTokenIntrospector {
return UserInfoOpaqueTokenIntrospector(...)
}
```
[JWT](jwt.html)[多租约](multitenancy.html)