将 google login_hint 参数添加到 Spring oauth2 AuthorizationCode 请求

Question

我一直在尝试将请求参数添加到 AuthorizationCode 请求中，spring oauth2 过滤器向 google 发出请求，作为 oauth2 身份验证流程的一部分。具体来说，我需要添加一个 login_hint 参数，以防止谷歌在已知电子邮件地址时引导用户选择他们的帐户。

这是我的初始配置：

@Configuration
@EnableOAuth2Client
@RequiredArgsConstructor
public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private static final String LOGIN_PATH = "/oauth/login";

    private static final int OAUTH2_CLIENT_FILTER_ORDER = -100;

    static {
        SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
    }

    private final OAuth2ClientContext oauth2ClientContext;

    private final OAuth2ClientContextFilter oAuth2ClientContextFilter;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        final OAuth2ClientAuthenticationProcessingFilter ssoFilter = new OAuth2ClientAuthenticationProcessingFilter(LOGIN_PATH);
        ssoFilter.setRestTemplate(googleRestTemplate());
        ssoFilter.setTokenServices(tokenServices());
        ssoFilter.setAuthenticationManager(oAuth2AuthenticationManager());

        final OAuth2AuthenticationProcessingFilter clientFilter = new OAuth2AuthenticationProcessingFilter();
        clientFilter.setAuthenticationManager(oAuth2AuthenticationManager());
        clientFilter.setStateless(false);

//      @formatter:off
        http
            .csrf().disable()
            .cors().disable()
            .headers()
            .frameOptions().sameOrigin()
            .cacheControl().disable()
            .and()
            .antMatcher("/**")
                .csrf().disable()
                .httpBasic().disable()
                .rememberMe().disable()
                .addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
                .addFilterBefore(clientFilter, OAuth2ClientAuthenticationProcessingFilter.class)
                .authorizeRequests()
            .antMatchers("/api/**").fullyAuthenticated()
            .anyRequest().permitAll()
            .and()
            .logout().logoutUrl("/logout")
            .and() .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint());
//      @formatter:on
    }

    

我设法做到这一点的唯一方法如下：

    @Bean
    public OAuth2RestTemplate googleRestTemplate() {
        MyAuthorizationCodeAccessTokenProvider myAuthorizationCodeAccessTokenProvider =
            new MyAuthorizationCodeAccessTokenProvider();

        AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(
            Arrays.<AccessTokenProvider>asList(
                myAuthorizationCodeAccessTokenProvider, new ImplicitAccessTokenProvider(),
                new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider()));

        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(googleClient(), oauth2ClientContext);
        oAuth2RestTemplate.setAccessTokenProvider(accessTokenProvider);
        return oAuth2RestTemplate;
    }

    static class MyAuthorizationCodeAccessTokenProvider extends AuthorizationCodeAccessTokenProvider {
        private static String EMAIL_PARAM_NAME = "email";
        @Override
        public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest request)
            throws UserRedirectRequiredException, UserApprovalRequiredException, AccessDeniedException,
            OAuth2AccessDeniedException {
            try {
                return super.obtainAccessToken(details, request);
            } catch (UserRedirectRequiredException ex) {
                String email = request.containsKey(EMAIL_PARAM_NAME) ? request.get(EMAIL_PARAM_NAME).get(0) : null;
                if (email != null) {
                    ex.getRequestParams().put("login_hint", email);
                }
                throw ex;
            }
        }
    }
}

这是自定义 spring oauth2 实现以在授权请求上设置 login_hint 参数的最佳方法吗？

Answer 1

我需要使用 Okta 解决与 IdP 完全相同的问题。我知道这是一篇旧帖子，但我的帖子用一种通用方法回答了这个问题，该方法可用于需要附加到授权 URL 的任何其他参数（不仅仅是 login_hint）。我认为我的答案非常适合 Spring 希望开发人员如何解决这个问题。我的解决方案的主要资源可以在这里找到（https://github.com/spring-projects/spring-security/issues/5244）。另一个很好的资源在这里（https://github.com/spring-projects/spring-security/issues/5521）。它的工作原理如下：Spring 使用一个名为 OAuth2AuthorizationRequestRedirectFilter 的过滤器，它负责构建 OAuth2 授权请求。授权请求 (OAuth2AuthorizationRequest) 包含授权请求 URI。需要通过添加附加参数（即login_hint）来更改授权请求URI。Spring 使用 OAuth2AuthorizationRequestResolver 实现来创建 OAuth2AuthorizationRequest。通过提供您自己的 OAuth2AuthorizationRequestResolver，您可以向授权 URL 添加其他参数。因此，对于我的实现，我创建了一个名为 ConfigurableOAuth2AuthorizationRequestResolver 的类，它包装了 Spring 的 DefaultOAuth2AuthorizationRequestResolver。这是我的一些代码。

// Credit to Joe Grandja for providing test cases found here: 
// https://raw.githubusercontent.com/spring-projects/spring-security/779597af2a6ed777707f08ae8106818e0b8e299e/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
// Much of the below code comes from his test examples.
public class ConfigurableOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver
{
    private final OAuth2AuthorizationRequestResolver oAuth2AuthorizationRequestResolver;

    /**
     * Wraps a OAuth2AuthorizationRequestResolver so that calls to the resolve method can be delegated.
     * In our implementation, the value passed here will be a DefaultOAuth2AuthorizationRequestResolver object.
     * @param oAuth2AuthorizationRequestResolver usually the default resolver from Spring.
     */
    public ConfigurableOAuth2AuthorizationRequestResolver(OAuth2AuthorizationRequestResolver oAuth2AuthorizationRequestResolver)
    {
        this.oAuth2AuthorizationRequestResolver = oAuth2AuthorizationRequestResolver;
    }

    /**
     * Adds our custom code to check for extra parameters in the session.  We use the session because there
     * are several redirects to the browser causing any request variable to be lost.  Don't really like
     * storing anything in the HTTP session but OK as long as it is removed immediately after use.
     *
     * @param request needed for resolve method delegation and to retrieve the HTTP session.
     * @return the <code>OAuth2AuthorizationRequest</code>
     */
    @Override
    public OAuth2AuthorizationRequest resolve(HttpServletRequest request)
    {
        OAuth2AuthorizationRequest authorizationRequest = this.oAuth2AuthorizationRequestResolver.resolve(request);
        return processAdditionalParameters(request, authorizationRequest);
    }

    /**
     * Required method for implementation but not used in the standard use case.
     *
     * @param request needed for resolve method delegation and to retrieve the HTTP session.
     * @param clientRegistrationId (e. g. google, okta)
     * @return the <code>OAuth2AuthorizationRequest</code>
     */
    @Override
    public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String clientRegistrationId)
    {
        OAuth2AuthorizationRequest authorizationRequest = this.oAuth2AuthorizationRequestResolver.resolve(request, clientRegistrationId);
        return processAdditionalParameters(request, authorizationRequest);
    }

    /**
     * This method does the important task of appending any special query string parameters to the authorization
     * request.  For now, we are only looking for login_hint in the session.  This method can be changed to
     * support more parameters.  We expect the login_hint key to be found in the session.
     *
     * @param request needed to retrieve the HTTP session.
     * @param authorizationRequest can be null as a valid scenario. Not null when registrationId matches Okta (or whatever).
     * @return the <code>OAuth2AuthorizationRequest</code>
     */
    private OAuth2AuthorizationRequest processAdditionalParameters(HttpServletRequest request, OAuth2AuthorizationRequest authorizationRequest)
    {
        if (authorizationRequest == null)
        {
            return null;
        }
        // NOTE: this can be improved to support multiple parameters by storing a list instead of a single param
        Map<String, Object> additionalParameters = new HashMap<>(authorizationRequest.getAdditionalParameters());
        HttpSession session = request.getSession();
        additionalParameters.put(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT, session.getAttribute(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT));
        session.removeAttribute(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT); // remove immediately after use
        String customAuthorizationRequestUri = UriComponentsBuilder
            .fromUriString(authorizationRequest.getAuthorizationRequestUri())
            .queryParam(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT, additionalParameters.get(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT))
            .build(true).toUriString();
        return OAuth2AuthorizationRequest.from(authorizationRequest)
            .additionalParameters(additionalParameters)
            .authorizationRequestUri(customAuthorizationRequestUri)
            .build();
    }
}

接下来的代码展示了如何集成您的解析器而不是 Spring 的默认解析器。

@Override
protected void configure(HttpSecurity http) throws Exception
{
    logger.info("Configuring OAuth/OIDC HTTP security ...");
    http
        .oauth2Login()
        .authorizationEndpoint()
            .authorizationRequestResolver(this.authorizationRequestResolver()) // adds custom resolver

}

@Bean
public OAuth2AuthorizationRequestResolver authorizationRequestResolver()
{
    OAuth2AuthorizationRequestResolver defaultAuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(
        yourClientRegistrationRepository, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
    return new ConfigurableOAuth2AuthorizationRequestResolver(defaultAuthorizationRequestResolver);
}

这是“最好”的方法吗，IDK。从 5.1 开始，恕我直言，这是公认的方法。