28.3 OAuth2

OAuth2是一个Spring支持的被广泛使用的授权框架.

Client

如果在你的类路径下存在spring-security-oauth2-client,得益于自动配置技术,建立一个OAuth2客户机将变得非常容易.这个配置利用OAuth2ClientProperties下的属性.

您可以注册多个OAuth2客户端且由spring.security.oauth2.client前缀进行区分,如下例所示:

  1. spring.security.oauth2.client.registration.my-client-1.client-id=abcd
  2. spring.security.oauth2.client.registration.my-client-1.client-secret=password
  3. spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
  4. spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
  5. spring.security.oauth2.client.registration.my-client-1.scope=user
  6. spring.security.oauth2.client.registration.my-client-1.redirect-uri-template=http://my-redirect-uri.com
  7. spring.security.oauth2.client.registration.my-client-1.client-authentication-method=basic
  8. spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code
  10. spring.security.oauth2.client.registration.my-client-2.client-id=abcd
  11. spring.security.oauth2.client.registration.my-client-2.client-secret=password
  12. spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope
  13. spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
  14. spring.security.oauth2.client.registration.my-client-2.scope=email
  15. spring.security.oauth2.client.registration.my-client-2.redirect-uri-template=http://my-redirect-uri.com
  16. spring.security.oauth2.client.registration.my-client-2.client-authentication-method=basic
  17. spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code
  19. spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=http://my-auth-server/oauth/authorize
  20. spring.security.oauth2.client.provider.my-oauth-provider.token-uri=http://my-auth-server/oauth/token
  21. spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=http://my-auth-server/userinfo
  22. spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=http://my-auth-server/token_keys
  23. spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name

默认情况下,Spring Security OAuth2的LoginAuthenticationFilter过滤器只处理适配/login/oauth2/code/*的URLs.如果你想定制redirect-uri-template使用不同的模式,您需要提供定制模式的配置来处理. 例如,您可以添加您自己的WebSecurityConfigurerAdapter,类似于以下几点:

  1. public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
  3.     @Override
  4.     protected void configure(HttpSecurity http) throws Exception {
  6.         http.authorizeRequests().anyRequest().authenticated().and()
  7.             .oauth2Login()
  8.             .redirectionEndpoint()
  9.             .baseUri("/custom-callback");
  10.     }
  11. }

常见OAuth2和OpenID提供者,包括Google,Github,Facebook和Okta,我们提供一组提供者默认配置(分别为Google,Github,FacebookOkta).

如果你不需要定制这些提供者,你可以设定provider属性为你需要的默认配置.如果你的客户的ID匹配默认支持提供者,Spring Boot将为你推断.

换句话说,下面的两个配置示例使用Google提供者:

  1. spring.security.oauth2.client.registration.my-client.client-id=abcd
  2. spring.security.oauth2.client.registration.my-client.client-secret=password
  3. spring.security.oauth2.client.registration.my-client.provider=google
  5. spring.security.oauth2.client.registration.google.client-id=abcd
  6. spring.security.oauth2.client.registration.google.client-secret=password

Server

目前,Spring Security对实现OAuth 2.0授权服务器或资源服务器不提供支持.然而,这个功能可以从Spring Security OAuth项目中获取,这将最终被Spring Security完全取代. 在那之前,你可以使用spring-security-oauth2-autoconfigure模块很容易建立一个OAuth 2.0服务器;具体请查看文档说明.