5

Spring Security OAuth2 配置注意点

 1 year ago
source link: https://blog.51cto.com/xichenguan/5801136
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Spring Security OAuth2 配置注意点

精选 原创
  1. security.oauth2.resource.jwt.key-uri/security.oauth2.resource.jwt.key-value和security.oauth2.resource.jwk.key-set-uri只能配置一个
    前面是配置一个key,后面是配置好多key
  2. security.oauth2.client 下面的client_id和client_secret配置多重意义,Authorization Server、ResourceServer和SSO配置都会用到;
  3. @EnableAuthorizationServer+security.oauth2.client.client-id+security.oauth2.client.client-secret,spring security自动注册一个client账户,值为security.oauth2.client.client-id和security.oauth2.client.client-secret的值
  4. 从OAuth2AutoConfiguration可以看出,security.oauth2.client.clientId和security.oauth2.client.clientSecret
    ResourceServerProperties中的security.oauth2.resource.clientId和security.oauth2.resource.clientSecret的值就是security.oauth2.client.clientId和security.oauth2.client.clientSecret的值;security.oauth2.resource.clientId和security.oauth2.resource.clientSecret的值我们不需要配置,只需要配置security.oauth2.client.clientId和security.oauth2.client.clientSecret的值就可以了;
  5. SSO配置的时候也是类似,sso会用到clientid,userinfourl,token_type,这三个配置,这三个配置都是从ResourceServerProperties来的,也就是从OAuth2ProtectedResourceDetails来的;
  6. user-info-url和token-info-url
security.oauth2.resource.user-info-uri:配置userinfo的url地址
security.oauth2.resource.token-info-uri:配置check-token的url地址;
security.oauth2.resource.prefer-token-info=true,如果上面两个都配置了,更倾向于用哪个



  1. security.oauth2.resource.filter-order :ResourceServer的Filter们的顺序
  2. security.oauth2.resource.token-type:请求资源时,在token-type的地方,写什么内容
  3. @EnableOAuth2Client将会创建OAuth2ClientContext 和OAuth2ProtectedResourceDetails,最终是要创建OAuth2RestOperations(OAuth2RestTemplate)
  4. OAuth2ProtectedResourceDetails会绑定security.oauth2.client.的配置信息,也就是说所有用到OAuth2ProtectedResourceDetails这个Bean的地方都得配置security.oauth2.client.,也就是说,所有需要OAuth2RestTemplate这个bean的地方都得配置security.oauth2.client.*;
     security.oauth2.client.*是用来创建OAuth2ProtectedResourceDetails的,OAuth2ProtectedResourceDetails是用来创建OAuth2RestOperations(OAuth2RestTemplate)的,feign也是用OAuth2ProtectedResourceDetails这个bean来获取client的信息的,Zuul和Resource Server中继的支持也是用的OAuth2RestTemplate这个Bean;
  5. client 怎么知道Authorization Server的信息?



security.oauth2.client.clientId
security.oauth2.client.clientSecret
security.oauth2.client.accessTokenUri
security.oauth2.client.userAuthorizationUri
security.oauth2.client.clientAuthenticationScheme:header、form
security.oauth2.client.scope:限制获取的token的权限



  1. ribbon中继,security.oauth2.resource.load-balanced,使用的是OAuth2RestOperations(OAuth2RestTemplate)
  2. feign中继:feign.RequestTemplate,使用的这个类,信息来自OAuth2ProtectedResourceDetails
  3. zuul:使用的是ioc容器中的OAuth2RestOperations bean
  4. 需要中继的都需要配置security.oauth2.client.*,ResourceServer,Feign,Zuul,Ribbon
  5. UserInfoRestTemplateCustomizer、UserInfoRestTemplateFactory、DefaultUserInfoRestTemplateFactory
  6. 配置Zuul的客户端负载均衡,下面这个配置好使;



proxy: 
  auth:
    load-balanced: true



  1. 如何配置OAuth2RestTemplate ?
    ResourceServer的用这个



@Bean
public OAuth2RestTemplate restTemplate(UserInfoRestTemplateFactory factory) {
    return factory.getUserInfoRestTemplate();
}



如果只是OauthClient或者OauthSSo标识的应用,用下面这个



@Bean
public OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext,
        OAuth2ProtectedResourceDetails details) {
    return new OAuth2RestTemplate(details, oauth2ClientContext);
}

        

        

            

                report
            

        

    







        
Recommend

        



                

    
About Joyk

    
 





Aggregate valuable and interesting links.

Joyk means Joy of geeK