Fork自 开发云 / Spring 中文文档社区
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
(window.webpackJsonp=window.webpackJsonp||[]).push([[557],{988:function(e,t,n){"use strict";n.r(t);var a=n(56),r=Object(a.a)({},(function(){var e=this,t=e.$createElement,n=e._self._c||t;return n("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[n("h1",{attrs:{id:"oauth2-0-资源服务器不透明令牌"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#oauth2-0-资源服务器不透明令牌"}},[e._v("#")]),e._v(" OAuth2.0 资源服务器不透明令牌")]),e._v(" "),n("h2",{attrs:{id:"用于自省的最小依赖项"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#用于自省的最小依赖项"}},[e._v("#")]),e._v(" 用于自省的最小依赖项")]),e._v(" "),n("p",[e._v("如"),n("RouterLink",{attrs:{to:"/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-minimaldependencies"}},[e._v("JWT 的最小依赖项")]),e._v("中所描述的,大多数资源服务器支持都是在"),n("code",[e._v("spring-security-oauth2-resource-server")]),e._v("中收集的。但是,除非提供自定义["),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v("](#WebFlux-OAuth2Resourceserver-Opaque-Introspector- Bean),否则资源服务器将退回到 ReactiveOpaQuetokenIntrospector。这意味着"),n("code",[e._v("spring-security-oauth2-resource-server")]),e._v("和"),n("code",[e._v("oauth2-oidc-sdk")]),e._v("都是必需的,以便拥有支持不透明承载令牌的工作最小资源服务器。请参阅"),n("code",[e._v("spring-security-oauth2-resource-server")]),e._v("以确定"),n("code",[e._v("oauth2-oidc-sdk")]),e._v("的正确版本。")],1),e._v(" "),n("h2",{attrs:{id:"用于内省的最小配置"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#用于内省的最小配置"}},[e._v("#")]),e._v(" 用于内省的最小配置")]),e._v(" "),n("p",[e._v("通常,可以通过由授权服务器托管的"),n("a",{attrs:{href:"https://tools.ietf.org/html/rfc7662",target:"_blank",rel:"noopener noreferrer"}},[e._v("OAuth2.0 内省终点"),n("OutboundLink")],1),e._v("来验证不透明令牌。当要求撤销时,这可能很方便。")]),e._v(" "),n("p",[e._v("当使用"),n("a",{attrs:{href:"https://spring.io/projects/spring-boot",target:"_blank",rel:"noopener noreferrer"}},[e._v("Spring Boot"),n("OutboundLink")],1),e._v("时,将应用程序配置为使用内省的资源服务器包括两个基本步骤。首先,包括所需的依赖关系,其次,指示内省端点细节。")]),e._v(" "),n("h3",{attrs:{id:"指定授权服务器"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#指定授权服务器"}},[e._v("#")]),e._v(" 指定授权服务器")]),e._v(" "),n("p",[e._v("要指定内省端点的位置,只需执行以下操作:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("security:\n oauth2:\n resourceserver:\n opaque-token:\n introspection-uri: https://idp.example.com/introspect\n client-id: client\n client-secret: secret\n")])])]),n("p",[e._v("其中"),n("code",[e._v("[https://idp.example.com/introspect](https://idp.example.com/introspect)")]),e._v("是由授权服务器托管的内省端点,"),n("code",[e._v("client-id")]),e._v("和"),n("code",[e._v("client-secret")]),e._v("是达到该端点所需的凭据。")]),e._v(" "),n("p",[e._v("Resource Server 将使用这些属性进一步自我配置,并随后验证传入的 JWTS。")]),e._v(" "),n("table",[n("thead",[n("tr",[n("th"),e._v(" "),n("th",[e._v("在使用内省时,授权服务器的单词是 law。"),n("br"),e._v("如果授权服务器响应令牌是有效的,那么它是有效的。")])])]),e._v(" "),n("tbody")]),e._v(" "),n("p",[e._v("就这样!")]),e._v(" "),n("h3",{attrs:{id:"创业期望"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#创业期望"}},[e._v("#")]),e._v(" 创业期望")]),e._v(" "),n("p",[e._v("当使用此属性和这些依赖项时,Resource Server 将自动配置自身以验证不透明承载令牌。")]),e._v(" "),n("p",[e._v("这个启动过程比 JWTS 简单得多,因为不需要发现端点,也不需要添加额外的验证规则。")]),e._v(" "),n("h3",{attrs:{id:"运行时期望"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#运行时期望"}},[e._v("#")]),e._v(" 运行时期望")]),e._v(" "),n("p",[e._v("一旦启动应用程序,Resource Server 将尝试处理任何包含"),n("code",[e._v("Authorization: Bearer")]),e._v("报头的请求:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("GET / HTTP/1.1\nAuthorization: Bearer some-token-value # Resource Server will process this\n")])])]),n("p",[e._v("只要表明了该方案,资源服务器就会尝试根据承载令牌规范来处理请求。")]),e._v(" "),n("p",[e._v("给定一个不透明的令牌,资源服务器将")]),e._v(" "),n("ol",[n("li",[n("p",[e._v("使用提供的凭据和令牌查询提供的内省端点")])]),e._v(" "),n("li",[n("p",[e._v("检查"),n("code",[e._v("{ 'active' : true }")]),e._v("属性的响应")])]),e._v(" "),n("li",[n("p",[e._v("将每个作用域映射到一个前缀"),n("code",[e._v("SCOPE_")]),e._v("的权限")])])]),e._v(" "),n("p",[e._v("默认情况下,生成的"),n("code",[e._v("Authentication#getPrincipal")]),e._v("是 Spring security"),n("code",[e._v("[OAuth2AuthenticatedPrincipal](https://docs.spring.io/spring-security/site/docs/5.6.2/api/org/springframework/security/oauth2/core/OAuth2AuthenticatedPrincipal.html)")]),e._v("对象,并且"),n("code",[e._v("Authentication#getName")]),e._v("映射到令牌的"),n("code",[e._v("sub")]),e._v("属性(如果存在)。")]),e._v(" "),n("p",[e._v("从这里,你可能想跳转到:")]),e._v(" "),n("ul",[n("li",[n("p",[n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-attributes"}},[e._v("身份验证后查找属性")])])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-authorization-extraction"}},[e._v("手动提取权限")])])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-jwt-introspector"}},[e._v("使用 JWTS 进行内省")])])])]),e._v(" "),n("h2",{attrs:{id:"身份验证后查找属性"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#身份验证后查找属性"}},[e._v("#")]),e._v(" 身份验证后查找属性")]),e._v(" "),n("p",[e._v("一旦对令牌进行了身份验证,就会在"),n("code",[e._v("SecurityContext")]),e._v("中设置"),n("code",[e._v("BearerTokenAuthentication")]),e._v("的实例。")]),e._v(" "),n("p",[e._v("这意味着当在配置中使用"),n("code",[e._v("@EnableWebFlux")]),e._v("时,它可以在"),n("code",[e._v("@Controller")]),e._v("方法中使用:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\npublic Mono<String> foo(BearerTokenAuthentication authentication) {\n return Mono.just(authentication.getTokenAttributes().get("sub") + " is the subject");\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\nfun foo(authentication: BearerTokenAuthentication): Mono<String> {\n return Mono.just(authentication.tokenAttributes["sub"].toString() + " is the subject")\n}\n')])])]),n("p",[e._v("由于"),n("code",[e._v("BearerTokenAuthentication")]),e._v("持有"),n("code",[e._v("OAuth2AuthenticatedPrincipal")]),e._v(",这也意味着控制器方法也可以使用它:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\npublic Mono<String> foo(@AuthenticationPrincipal OAuth2AuthenticatedPrincipal principal) {\n return Mono.just(principal.getAttribute("sub") + " is the subject");\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\nfun foo(@AuthenticationPrincipal principal: OAuth2AuthenticatedPrincipal): Mono<String> {\n return Mono.just(principal.getAttribute<Any>("sub").toString() + " is the subject")\n}\n')])])]),n("h3",{attrs:{id:"通过-spel-查找属性"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#通过-spel-查找属性"}},[e._v("#")]),e._v(" 通过 SPEL 查找属性")]),e._v(" "),n("p",[e._v("当然,这也意味着可以通过 SPEL 访问属性。")]),e._v(" "),n("p",[e._v("例如,如果使用"),n("code",[e._v("@EnableReactiveMethodSecurity")]),e._v("使你可以使用"),n("code",[e._v("@PreAuthorize")]),e._v("注释,则可以这样做:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"principal?.attributes['sub'] = 'foo'\")\npublic Mono<String> forFoosEyesOnly() {\n return Mono.just(\"foo\");\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"principal.attributes['sub'] = 'foo'\")\nfun forFoosEyesOnly(): Mono<String> {\n return Mono.just(\"foo\")\n}\n")])])]),n("h2",{attrs:{id:"覆盖或替换-boot-auto-配置"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#覆盖或替换-boot-auto-配置"}},[e._v("#")]),e._v(" 覆盖或替换 Boot Auto 配置")]),e._v(" "),n("p",[e._v("有两个"),n("code",[e._v("@Bean")]),e._v("s, Spring boot 代表资源服务器生成。")]),e._v(" "),n("p",[e._v("第一个是将应用程序配置为资源服务器的"),n("code",[e._v("SecurityWebFilterChain")]),e._v("。当使用不透明令牌时,这个"),n("code",[e._v("SecurityWebFilterChain")]),e._v("看起来像:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nSecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n\thttp\n\t\t.authorizeExchange(exchanges -> exchanges\n\t\t\t.anyExchange().authenticated()\n\t\t)\n\t\t.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)\n\treturn http.build();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken { }\n }\n }\n}\n")])])]),n("p",[e._v("如果应用程序不公开"),n("code",[e._v("SecurityWebFilterChain")]),e._v(" Bean,那么 Spring 引导将公开上面的默认引导。")]),e._v(" "),n("p",[e._v("替换它就像在应用程序中公开 Bean 一样简单:")]),e._v(" "),n("p",[e._v("例 1。替换 SecurityWebFilterchain")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@EnableWebFluxSecurity\npublic class MyCustomSecurityConfiguration {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchanges -> exchanges\n .pathMatchers("/messages/**").hasAuthority("SCOPE_message:read")\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(oauth2 -> oauth2\n .opaqueToken(opaqueToken -> opaqueToken\n .introspector(myIntrospector())\n )\n );\n return http.build();\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize("/messages/**", hasAuthority("SCOPE_message:read"))\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken {\n introspector = myIntrospector()\n }\n }\n }\n}\n')])])]),n("p",[e._v("对于任何以"),n("code",[e._v("/messages/")]),e._v("开头的 URL,上述条件要求"),n("code",[e._v("message:read")]),e._v("的范围。")]),e._v(" "),n("p",[n("code",[e._v("oauth2ResourceServer")]),e._v("DSL 上的方法也将覆盖或替换自动配置。")]),e._v(" "),n("p",[e._v("例如,第二个"),n("code",[e._v("@Bean")]),e._v(" Spring 启动创建了一个"),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(",它将"),n("code",[e._v("String")]),e._v("令牌解码为"),n("code",[e._v("OAuth2AuthenticatedPrincipal")]),e._v("的验证实例:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret)\n}\n")])])]),n("p",[e._v("如果应用程序不公开"),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(" Bean,那么 Spring 引导将公开上面的默认引导。")]),e._v(" "),n("p",[e._v("并且它的配置可以使用"),n("code",[e._v("introspectionUri()")]),e._v("和"),n("code",[e._v("introspectionClientCredentials()")]),e._v("进行重写,或者使用"),n("code",[e._v("introspector()")]),e._v("进行替换。")]),e._v(" "),n("h3",{attrs:{id:"使用inrospectionuri"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#使用inrospectionuri"}},[e._v("#")]),e._v(" 使用"),n("code",[e._v("inrospectionUri()")])]),e._v(" "),n("p",[e._v("可以配置授权服务器的内省 URI"),n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-introspectionuri"}},[e._v("作为配置属性")]),e._v(",也可以在 DSL 中提供它:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@EnableWebFluxSecurity\npublic class DirectlyConfiguredIntrospectionUri {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchanges -> exchanges\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(oauth2 -> oauth2\n .opaqueToken(opaqueToken -> opaqueToken\n .introspectionUri("https://idp.example.com/introspect")\n .introspectionClientCredentials("client", "secret")\n )\n );\n return http.build();\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken {\n introspectionUri = "https://idp.example.com/introspect"\n introspectionClientCredentials("client", "secret")\n }\n }\n }\n}\n')])])]),n("h3",{attrs:{id:"使用introspectionuri-优先于任何配置属性。"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#使用introspectionuri-优先于任何配置属性。"}},[e._v("#")]),e._v(" 使用"),n("code",[e._v("introspectionUri()")]),e._v("优先于任何配置属性。")]),e._v(" "),n("p",[e._v("比"),n("code",[e._v("introspectionUri()")]),e._v("更强大的是"),n("code",[e._v("introspector()")]),e._v(",它将完全取代"),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v("的任何引导自动配置:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@EnableWebFluxSecurity\npublic class DirectlyConfiguredIntrospector {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchanges -> exchanges\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(oauth2 -> oauth2\n .opaqueToken(opaqueToken -> opaqueToken\n .introspector(myCustomIntrospector())\n )\n );\n return http.build();\n }\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken {\n introspector = myCustomIntrospector()\n }\n }\n }\n}\n")])])]),n("p",[e._v("当需要更深的配置时,比如"),n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-authorization-extraction"}},[e._v("权限映射")]),e._v("或"),n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-jwt-introspector"}},[e._v("JWT 撤销")]),e._v(",这是很方便的。")]),e._v(" "),n("h3",{attrs:{id:"曝光reactiveopaquetokenintrospector-bean"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#曝光reactiveopaquetokenintrospector-bean"}},[e._v("#")]),e._v(" 曝光"),n("code",[e._v("ReactiveOpaqueTokenIntrospector``@Bean")])]),e._v(" "),n("p",[e._v("或者,暴露"),n("code",[e._v("ReactiveOpaqueTokenIntrospector``@Bean")]),e._v("具有与"),n("code",[e._v("introspector()")]),e._v("相同的效果:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret)\n}\n")])])]),n("h2",{attrs:{id:"配置授权"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#配置授权"}},[e._v("#")]),e._v(" 配置授权")]),e._v(" "),n("p",[e._v("OAuth2.0 内省端点通常会返回一个"),n("code",[e._v("scope")]),e._v("属性,指示它被授予的作用域(或权限),例如:")]),e._v(" "),n("p",[n("code",[e._v('{ …, "scope" : "messages contacts"}')])]),e._v(" "),n("p",[e._v("在这种情况下,Resource Server 将尝试强制将这些作用域放入一个已授予权限的列表中,并在每个作用域前加上字符串“scope_”。")]),e._v(" "),n("p",[e._v("这意味着,要保护具有由不透明令牌派生的作用域的端点或方法,相应的表达式应该包括以下前缀:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@EnableWebFluxSecurity\npublic class MappedAuthorities {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchange -> exchange\n .pathMatchers("/contacts/**").hasAuthority("SCOPE_contacts")\n .pathMatchers("/messages/**").hasAuthority("SCOPE_messages")\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken);\n return http.build();\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize("/contacts/**", hasAuthority("SCOPE_contacts"))\n authorize("/messages/**", hasAuthority("SCOPE_messages"))\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken { }\n }\n }\n}\n')])])]),n("p",[e._v("或类似于方法安全性:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"hasAuthority('SCOPE_messages')\")\npublic Flux<Message> getMessages(...) {}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"hasAuthority('SCOPE_messages')\")\nfun getMessages(): Flux<Message> { }\n")])])]),n("h3",{attrs:{id:"手动提取权限"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#手动提取权限"}},[e._v("#")]),e._v(" 手动提取权限")]),e._v(" "),n("p",[e._v("默认情况下,不透明令牌支持将从内省响应中提取范围声明,并将其解析为单个"),n("code",[e._v("GrantedAuthority")]),e._v("实例。")]),e._v(" "),n("p",[e._v("例如,如果内省反应是:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('{\n "active" : true,\n "scope" : "message:read message:write"\n}\n')])])]),n("p",[e._v("然后,资源服务器将生成一个带有两个权限的"),n("code",[e._v("Authentication")]),e._v(",一个用于"),n("code",[e._v("message:read")]),e._v(",另一个用于"),n("code",[e._v("message:write")]),e._v("。")]),e._v(" "),n("p",[e._v("当然,这可以使用自定义"),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v("进行定制,该自定义"),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v("查看属性集并以其自己的方式进行转换:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class CustomAuthoritiesOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n private ReactiveOpaqueTokenIntrospector delegate =\n new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n\n public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {\n return this.delegate.introspect(token)\n .map(principal -> new DefaultOAuth2AuthenticatedPrincipal(\n principal.getName(), principal.getAttributes(), extractAuthorities(principal)));\n }\n\n private Collection<GrantedAuthority> extractAuthorities(OAuth2AuthenticatedPrincipal principal) {\n List<String> scopes = principal.getAttribute(OAuth2IntrospectionClaimNames.SCOPE);\n return scopes.stream()\n .map(SimpleGrantedAuthority::new)\n .collect(Collectors.toList());\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class CustomAuthoritiesOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {\n return delegate.introspect(token)\n .map { principal: OAuth2AuthenticatedPrincipal ->\n DefaultOAuth2AuthenticatedPrincipal(\n principal.name, principal.attributes, extractAuthorities(principal))\n }\n }\n\n private fun extractAuthorities(principal: OAuth2AuthenticatedPrincipal): Collection<GrantedAuthority> {\n val scopes = principal.getAttribute<List<String>>(OAuth2IntrospectionClaimNames.SCOPE)\n return scopes\n .map { SimpleGrantedAuthority(it) }\n }\n}\n')])])]),n("p",[e._v("在此之后,可以简单地将此自定义内省检测器配置为"),n("code",[e._v("@Bean")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new CustomAuthoritiesOpaqueTokenIntrospector();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return CustomAuthoritiesOpaqueTokenIntrospector()\n}\n")])])]),n("h2",{attrs:{id:"使用-jwts-进行内省"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#使用-jwts-进行内省"}},[e._v("#")]),e._v(" 使用 JWTS 进行内省")]),e._v(" "),n("p",[e._v("一个常见的问题是,内省是否与 JWTS 兼容。 Spring Security 的不透明令牌支持被设计成不关心令牌的格式——它将很乐意将任何令牌传递给所提供的内省端点。")]),e._v(" "),n("p",[e._v("所以,假设你有一个要求,要求你在每个请求上与授权服务器进行检查,以防 JWT 被撤销。")]),e._v(" "),n("p",[e._v("尽管你使用的是 JWT 格式的令牌,但你的验证方法是内省,这意味着你希望这样做:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("spring:\n security:\n oauth2:\n resourceserver:\n opaque-token:\n introspection-uri: https://idp.example.org/introspection\n client-id: client\n client-secret: secret\n")])])]),n("p",[e._v("在这种情况下,得到的"),n("code",[e._v("Authentication")]),e._v("将是"),n("code",[e._v("BearerTokenAuthentication")]),e._v("。对应的"),n("code",[e._v("OAuth2AuthenticatedPrincipal")]),e._v("中的任何属性都将是内省端点返回的任何属性。")]),e._v(" "),n("p",[e._v("但是,让我们说,奇怪的是,内省端点只返回令牌是否处于活动状态。现在怎么办?")]),e._v(" "),n("p",[e._v("在这种情况下,你可以创建一个自定义的"),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(",它仍然会到达端点,但随后会更新返回的主体,使其具有 JWTS 声明的属性:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class JwtOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n\tprivate ReactiveOpaqueTokenIntrospector delegate =\n\t\t\tnew NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n\tprivate ReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(new ParseOnlyJWTProcessor());\n\n\tpublic Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {\n\t\treturn this.delegate.introspect(token)\n\t\t\t\t.flatMap(principal -> this.jwtDecoder.decode(token))\n\t\t\t\t.map(jwt -> new DefaultOAuth2AuthenticatedPrincipal(jwt.getClaims(), NO_AUTHORITIES));\n\t}\n\n\tprivate static class ParseOnlyJWTProcessor implements Converter<JWT, Mono<JWTClaimsSet>> {\n\t\tpublic Mono<JWTClaimsSet> convert(JWT jwt) {\n\t\t\ttry {\n\t\t\t\treturn Mono.just(jwt.getJWTClaimsSet());\n\t\t\t} catch (Exception ex) {\n\t\t\t\treturn Mono.error(ex);\n\t\t\t}\n\t\t}\n\t}\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class JwtOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n private val jwtDecoder: ReactiveJwtDecoder = NimbusReactiveJwtDecoder(ParseOnlyJWTProcessor())\n override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {\n return delegate.introspect(token)\n .flatMap { jwtDecoder.decode(token) }\n .map { jwt: Jwt -> DefaultOAuth2AuthenticatedPrincipal(jwt.claims, NO_AUTHORITIES) }\n }\n\n private class ParseOnlyJWTProcessor : Converter<JWT, Mono<JWTClaimsSet>> {\n override fun convert(jwt: JWT): Mono<JWTClaimsSet> {\n return try {\n Mono.just(jwt.jwtClaimsSet)\n } catch (e: Exception) {\n Mono.error(e)\n }\n }\n }\n}\n')])])]),n("p",[e._v("在此之后,可以简单地将此自定义内省检测器配置为"),n("code",[e._v("@Bean")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new JwtOpaqueTokenIntropsector();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return JwtOpaqueTokenIntrospector()\n}\n")])])]),n("h2",{attrs:{id:"调用-userinfo端点"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#调用-userinfo端点"}},[e._v("#")]),e._v(" 调用"),n("code",[e._v("/userinfo")]),e._v("端点")]),e._v(" "),n("p",[e._v("一般来说,资源服务器并不关心底层用户,而是关心已被授予的权限。")]),e._v(" "),n("p",[e._v("话虽如此,有时将授权声明与用户绑定在一起可能是有价值的。")]),e._v(" "),n("p",[e._v("如果一个应用程序也在使用"),n("code",[e._v("spring-security-oauth2-client")]),e._v(",已经设置了适当的"),n("code",[e._v("ClientRegistrationRepository")]),e._v(",那么使用自定义的"),n("code",[e._v("OpaqueTokenIntrospector")]),e._v("就很简单了。下面的实现做了三件事:")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("委托给内省端点,以确认令牌的有效性")])]),e._v(" "),n("li",[n("p",[e._v("查找与"),n("code",[e._v("/userinfo")]),e._v("端点关联的适当客户端注册")])]),e._v(" "),n("li",[n("p",[e._v("调用并返回来自"),n("code",[e._v("/userinfo")]),e._v("端点的响应")])])]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n\tprivate final ReactiveOpaqueTokenIntrospector delegate =\n\t\t\tnew NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n\tprivate final ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService =\n\t\t\tnew DefaultReactiveOAuth2UserService();\n\n\tprivate final ReactiveClientRegistrationRepository repository;\n\n\t// ... constructor\n\n\t@Override\n\tpublic Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {\n\t\treturn Mono.zip(this.delegate.introspect(token), this.repository.findByRegistrationId("registration-id"))\n\t\t\t\t.map(t -> {\n\t\t\t\t\tOAuth2AuthenticatedPrincipal authorized = t.getT1();\n\t\t\t\t\tClientRegistration clientRegistration = t.getT2();\n\t\t\t\t\tInstant issuedAt = authorized.getAttribute(ISSUED_AT);\n\t\t\t\t\tInstant expiresAt = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT);\n\t\t\t\t\tOAuth2AccessToken accessToken = new OAuth2AccessToken(BEARER, token, issuedAt, expiresAt);\n\t\t\t\t\treturn new OAuth2UserRequest(clientRegistration, accessToken);\n\t\t\t\t})\n\t\t\t\t.flatMap(this.oauth2UserService::loadUser);\n\t}\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n private val oauth2UserService: ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> = DefaultReactiveOAuth2UserService()\n private val repository: ReactiveClientRegistrationRepository? = null\n\n // ... constructor\n override fun introspect(token: String?): Mono<OAuth2AuthenticatedPrincipal> {\n return Mono.zip<OAuth2AuthenticatedPrincipal, ClientRegistration>(delegate.introspect(token), repository!!.findByRegistrationId("registration-id"))\n .map<OAuth2UserRequest> { t: Tuple2<OAuth2AuthenticatedPrincipal, ClientRegistration> ->\n val authorized = t.t1\n val clientRegistration = t.t2\n val issuedAt: Instant? = authorized.getAttribute(ISSUED_AT)\n val expiresAt: Instant? = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT)\n val accessToken = OAuth2AccessToken(BEARER, token, issuedAt, expiresAt)\n OAuth2UserRequest(clientRegistration, accessToken)\n }\n .flatMap { userRequest: OAuth2UserRequest -> oauth2UserService.loadUser(userRequest) }\n }\n}\n')])])]),n("p",[e._v("如果你 AREN 不使用"),n("code",[e._v("spring-security-oauth2-client")]),e._v(",它仍然很简单。你只需要用你自己的"),n("code",[e._v("WebClient")]),e._v("实例调用"),n("code",[e._v("/userinfo")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n private final ReactiveOpaqueTokenIntrospector delegate =\n new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n private final WebClient rest = WebClient.create();\n\n @Override\n public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {\n return this.delegate.introspect(token)\n\t\t .map(this::makeUserInfoRequest);\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n private val rest: WebClient = WebClient.create()\n\n override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {\n return delegate.introspect(token)\n .map(this::makeUserInfoRequest)\n }\n}\n')])])]),n("p",[e._v("无论哪种方式,在创建了"),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v("之后,你应该将其发布为"),n("code",[e._v("@Bean")]),e._v(",以覆盖默认值:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nReactiveOpaqueTokenIntrospector introspector() {\n return new UserInfoOpaqueTokenIntrospector();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return UserInfoOpaqueTokenIntrospector()\n}\n")])])]),n("p",[n("RouterLink",{attrs:{to:"/spring-security/jwt.html"}},[e._v("JWT")]),n("RouterLink",{attrs:{to:"/spring-security/multitenancy.html"}},[e._v("多租约")])],1)])}),[],!1,null,null,null);t.default=r.exports}}]);
