Spring Security:向 Spring 当局提取 oidc 角色声明
Bat*_*Bat 6 java spring-security jhipster openid-connect
OAuth2AuthenticationToken我正在尝试从被检测为 Spring Security 机构的角色声明中获取角色声明。在 OIDC 提供者端(在我的例子中是 Azure AD)定义了一个自定义角色,该角色嵌套在 中DefaultOidcUser,但不会自动添加到权限中:
我尝试像这样从 Jwt 令牌中提取它们
但是,当我这样做时,以下方法都不会被调用(无论是在登录期间,还是稍后,即使在默认配置中):
JwtGrantedAuthoritiesConverter.convert(Jwt)JwtAuthenticationConverter.convert(Jwt)JwtAuthenticationConverter.extractAuthorities(Jwt)
我当前的配置是:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Import(SecurityProblemSupport.class)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf()
<some more config that has nothing to do with oauth/oidc>
.and()
.oauth2Login()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter())
.and()
.and()
.oauth2Client()
;
}
private JwtAuthenticationConverter jwtAuthenticationConverter() {
// create a custom JWT converter to map the roles from the token as granted authorities
JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("roles");
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
return jwtAuthenticationConverter;
}
}
我也尝试过
CustomJwtAuthConverter implements Converter<Jwt, AbstractAuthenticationToken>
但无济于事。
任何帮助,将不胜感激。
设法使用权限映射器来实现它,该映射器还从 oidcToken 中提取声明:
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
[...]
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
return authorities -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(
authority -> {
// Check for OidcUserAuthority because Spring Security 5.2 returns
// each scope as a GrantedAuthority, which we don't care about.
if (authority instanceof OidcUserAuthority) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
mappedAuthorities.addAll(SecurityUtils.extractAuthorityFromClaims(oidcUserAuthority.getUserInfo().getClaims()));
mappedAuthorities.addAll(SecurityUtils.extractAuthorityFromClaims(oidcUserAuthority.getIdToken().getClaims()));
}
}
);
return mappedAuthorities;
};
}
}
以及 SecurityUtils 内部:
public static List<GrantedAuthority> extractAuthorityFromClaims(Map<String, Object> claims) {
return mapRolesToGrantedAuthorities(getRolesFromClaims(claims));
}
private static List<GrantedAuthority> mapRolesToGrantedAuthorities(Collection<String> roles) {
return roles.stream().filter(role -> role.startsWith("ROLE_")).map(SimpleGrantedAuthority::new).collect(Collectors.toList());
}
之后,自定义角色应该出现在mappedAuthorities 中,并出现在令牌的权限中。从而使得注释“hasRole”和“hasAuthority”可以使用。
| 归档时间: |
|
| 查看次数: |
4613 次 |
| 最近记录: |