Spring Oauth2隐含流量
致力于使用Spring实现Oauth2。 我想实现隐式工作流程:
我的配置文件:
@Configuration @EnableAutoConfiguration @RestController public class App { @Autowired private DataSource dataSource; public static void main(String[] args) { SpringApplication.run(App.class, args); } @RequestMapping("/") public String home() { return "Hello World"; } @Configuration @EnableResourceServer protected static class ResourceServer extends ResourceServerConfigurerAdapter { @Autowired private TokenStore tokenStore; @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.tokenStore(tokenStore); } @Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http.authorizeRequests().antMatchers("/oauth/token").authenticated() .and() .authorizeRequests().anyRequest().permitAll() .and() .formLogin().loginPage("/login").permitAll() .and() .csrf().disable(); } } @Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager auth; private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); @Bean public JdbcTokenStore tokenStore() { return new JdbcTokenStore(DBConnector.dataSource); } @Bean protected AuthorizationCodeServices authorizationCodeServices() { return new JdbcAuthorizationCodeServices(DBConnector.dataSource); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security.passwordEncoder(passwordEncoder); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authorizationCodeServices(authorizationCodeServices()) .authenticationManager(auth).tokenStore(tokenStore()) .approvalStoreDisabled(); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { // @formatter:off clients.jdbc(DBConnector.dataSource) .passwordEncoder(passwordEncoder) .withClient("my-trusted-client") .secret("test") .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit") .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") .scopes("read", "write", "trust") .resourceIds("oauth2-resource") .accessTokenValiditySeconds(0); // @formatter:on } } @Autowired public void init(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth.jdbcAuthentication().dataSource(DBConnector.dataSource).withUser("dave") .password("secret").roles("USER"); // @formatter:on } } 到目前为止这是有效的。 还在数据库中生成用户。
问题如下。 当我尝试做以下请求时:
HTTP://本地主机:8080 /的OAuth /令牌grant_type = authorization_code&CLIENT_ID =我的信任,客户端和用户名= Dave和密码=秘密
我总是得到一个弹出窗口(身份validation),要求我输入用户名和密码。 但是我进入那里并不重要,我从未经过。 那有什么不对?
我想拥有它,当我打电话给这个url时,我得到了我的access_token。
在隐式流的情况下,将通过授权URL而不是令牌url生成所有令牌。 所以你应该用隐式响应类型命中../oauth/authorize端点。 即
../oauth/authorize?response_type=implicit&client_id=trusted_client&redirect_uri=.
您正在获取用户名密码弹出,因为令牌端点已经通过spring的BasicAuthenticationFilter受到保护,并且它希望您将client_id作为用户名传递,client_secret作为密码传递。 您需要保护授权端点,而不是令牌端点,因此请执行端点安全配置…
@Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http.authorizeRequests().antMatchers("/oauth/authorize").authenticated() .and() .authorizeRequests().anyRequest().permitAll() .and() .formLogin().loginPage("/login").permitAll() .and() .csrf().disable(); }