Spring oauth2 基本认证

Question

Spring oauth2 基本认证

Sen*_*ven 2 authentication spring spring-mvc spring-security oauth-2.0

我正在尝试使用 OAuth2 实现开发具有 spring 安全性的 rest api。但是如何删除基本身份验证。我只想将用户名和密码发送到 body 并在邮递员上获取令牌。

@Configuration
public class OAuthServerConfigration {

private static final String SERVER_RESOURCE_ID = "oauth2-server";

private static InMemoryTokenStore tokenStore = new InMemoryTokenStore();


@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId(SERVER_RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
         http.anonymous().disable().requestMatchers().antMatchers("/api/**").and().authorizeRequests().antMatchers("/api/**").access("#oauth2.hasScope('read')");
    }
}

@Configuration
@EnableAuthorizationServer
protected static class AuthConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;


    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore).approvalStoreDisabled();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("client")
            .secret("$2a$10$5OkeCLKNs/BkdO0qcYRri.MdIcKhFvElAllhPgLfRQqG7wkEiPmq2")
                .authorizedGrantTypes("password","authorization_code","refresh_token")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
              .scopes("read", "write", "trust")
                .resourceIds(SERVER_RESOURCE_ID)
                  //.accessTokenValiditySeconds(ONE_DAY)
                  .accessTokenValiditySeconds(300)
                  .refreshTokenValiditySeconds(50);

    }


    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        oauthServer
                // we're allowing access to the token only for clients with 'ROLE_TRUSTED_CLIENT' authority
                .tokenKeyAccess("hasAuthority('ROLE_TRUSTED_CLIENT')")
                .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");

    }

 }

}

@Configuration
@Order(2)
public static class ApiLoginConfig extends 
WebSecurityConfigurerAdapter{   
    @Autowired
    DataSource dataSource;

    @Autowired
    ClientDetailsService clientDetailsService;


    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/oauth/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.httpBasic().disable().csrf().disable().antMatcher("/oauth/token").authorizeRequests().anyRequest().permitAll();


    }
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }
}

Run Code Online (Sandbox Code Playgroud)

想要删除基本身份验证并在邮递员的正文标签中发送用户名密码以获取令牌

我遇到了一些问题 { "error": "unauthorized", "error_description": "没有客户端身份验证。尝试添加适当的身份验证过滤器。" }

Answer 1

kak*_*ali 5

在方法中的@EnableAuthorizationServer配置类中：-

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)

Run Code Online (Sandbox Code Playgroud)

尝试添加以下内容：-

oauthServer.allowFormAuthenticationForClients()

Run Code Online (Sandbox Code Playgroud)

完成后，您将不得不调用 oauth get token url，如下所示：-

URL 将与 http(s)://{HOST_NAME}/oauth/token 相同

HTTP 方法类型现在将是 POST

标题：-

Content-Type=application/x-www-form-urlencoded

Run Code Online (Sandbox Code Playgroud)

参数将是 postman 正文中 x-www-form-urlencoded 中的键值对

对于 client_credentials grant_type：-

grant_type=client_credentials
client_id=client_id_value
client_secret=client_secret_value
scope=scopes

Run Code Online (Sandbox Code Playgroud)

对于密码 grant_type：-

grant_type=password
client_id=client_id_value
client_secret=client_secret_value
scope=scopes
username=username
password=password

Run Code Online (Sandbox Code Playgroud)

范围将在此处以逗号分隔

归档时间：	7 年，11 月前
查看次数：	2432 次
最近记录：	5 年，6 月前