使用Hydra OAuth 2.0配置Spring Security

Question

我使用Spring Boot应用程序配置了Hydra实例.我刚刚使用注释将我的应用程序配置为资源服务器@EnableResourceServer.因此,当我在请求中使用Bearer授权头时,Spring使用我在属性中指定的值:

security.oauth2.resource.user-info-uri=...

验证令牌是否有效.不幸的是,我没有找到Hydra OAuth 2.0的这个URL(http://docs.hydra13.apiary.io//https://github.com/ory/hydra)

Answer 1

第一:在欧利水润配置您的资源服务器(你必须client_credentials和范围"hydra.introspect"为了能够让令牌的有效性将它添加到欧利九头蛇):

$> hydra clients create --skip-tls-verify \
    --id my-rest-api \
    --secret mypwd \
    --grant-types client_credentials \
    --response-types token \
    --allowed-scopes hydra.introspect

第二步:添加策略以让资源服务器请求令牌有效性.

$> hydra policies create --skip-tls-verify \
    --actions introspect \
    --description "Policy to introspect tokens from my api" \
    --allow \
    --id accesstoken_introsp-policy \
    --resources "rn:hydra:oauth2:tokens" \
    --subjects my-rest-api

第三步:在build.gradle中添加oauth2依赖项(如果是maven,则添加pom.xml):

编译'org.springframework.security.oauth:spring-security-oauth2:2.2.1.RELEASE'

第四步:配置application.yml以使用Ory Hydra内省端点获取令牌信息.

security:
  user:
    password: none
  oauth2:
    resource:
      token-info-uri: https://yourserver.com/oauth2/introspect
    client:
      client-id: my-rest-api
      client-secret: mypwd
      scope: [ "hydra.introspect" ]

第五步:创建一个类来配置受访问令牌保护的URL

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Autowired
    private RemoteTokenServices tokenServices;

    @Value("${security.oauth2.client.client-id}")
    private String clientId;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS).permitAll()
            .antMatchers("/api/v1/**").access("#oauth2.hasScope('my.desired.scope')")
            .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId(clientId);
        tokenServices.setAccessTokenConverter(new OryHydraAccessTokenConverter());
        resources.tokenServices(tokenServices);
    }    
}

class OryHydraAccessTokenConverter extends DefaultAccessTokenConverter {
    @Override
    public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
        OAuth2Authentication oAuth2Authentication = super.extractAuthentication(map);
        oAuth2Authentication.setDetails(map.get("ext"));
        return oAuth2Authentication;
    }
}

我需要一个自定义的AccessTokenConverter,因为我的同意应用程序为令牌添加了几个属性,我们需要映射所有这些属性.有了Ory,我的房产属于'ext'属性.这是一个示例访问令牌:

{
    "active": true,
    "scope": "my.desired.scope",
    "client_id": "my-mobile-app",
    "sub": "123121e",
    "exp": 1520948372,
    "iat": 1520944772,
    "iss": "https://yourserver.com",
    "ext": {
        "custom_prop1": 12321,
        "custom_prop2": "Name Surname",
        "custom_prop3": false
    }
}

最后一步:现在在您的控制器中,您可以自动装配为参数Oauth2Authentication对象.

@GetMapping("/api/v1/data")
public MyBean findDataById(OAuth2Authentication auth,
                           @RequestParam("id") String id) {
    OAuth2AuthenticationDetails oAuth2AuthenticationDetails = (OAuth2AuthenticationDetails) auth.getDetails();
    Map<String, Object> ext = (Map<String, Object>) oAuth2AuthenticationDetails.getDecodedDetails();
    return MyBean.builder().name("Name:"+ext.get("custom_prop1")).build();
}