Entry
This is the user's Guide to support OAuth2.0. For OAuth1.0, everything is different, so look at its user guide.
This user guide is divided into two sections, the first part is the OAuth2.0 provider (OAuth 2.0 Provider), and the second part is the client of OAuth2.0 (OAuth 2.0 client)
OAUTH2.0 provides end
The purpose of the OAuth2.0 provider is to expose protected resources. Establish a list of clients that can access the protected resource.
The provider is done by managing and validating an OAuth 2 token that can be used to access a protected resource.
Where appropriate, the provider must provide the user with an interface (that is, a page or a window) to confirm that the client has access to the protected resource.
In the OAuth 2 provider is actually divided into the authorization service and the resource service two roles, and these two roles sometimes exist in the same application,
With Spring Security OAuth you can selectively split them into two applications or optionally configure multiple resource services for the licensing service.
Requests to get tokens (Tokens) are handled by the controller endpoint of spring MVC, and access to protected resources is handled through a standard spring security request filter.
The endpoints listed below are the endpoints required by the Spring Security filter chain to implement the OAuth 2 authorization server:
The following filters are required to implement a OAUTH2 resource server:
For all OAuth 2.0 providers, simplify the configuration by using the spring OAuth dedicated @configuration adapter. XML namespaces can also be used to configure the Oauth,xml schema existence: Http://www.springframework.org/schema/security/spring-security-oauth2.xsd. Command space is http://www.springframework.org/schema/security/oauth2
Authorization Server Configuration
Note that each client can specifically configure permissions to use certain authorization mechanisms for the grant type.
@EnableAuthorizationServer Note is used to configure the OAuth 2.0 authorization server mechanism, plus any @beans to implement Authorizationserverconfigurer ( This is an empty method that the hander adapter implements). The following functions are delegated to the independent configurers created by spring and passed to Authorizationserverconfigurer:
Clientdetailsserviceconfigurer: This configurer defines the client details service. Customer details can be initialized, or you can refer to an existing store.
Authorizationserversecurityconfigurer: A security constraint is defined on the token endpoint.
Authorizationserverendpointsconfigurer: Defines the authorization and token endpoints and token service
An important item in the provision-side configuration is the authorization code provided to the OAuth client. The OAuth client obtains the authorization code by directing the end user to an authorization verification page that can enter a certificate/password, and then passes the authorization code to the provider-side authorization server, which redirects the page after the server authenticates. There are detailed examples in the OAuth 2 documentation.
Configure client Detailed steps
The Clientdetailsserviceconfigurer class (a calling class in the Authorizationserverconfigurer Class) can be used to define a memory-based or JDBC client information service.
The important properties of the client object are:
ClientId: (required) Client ID.
Secret: Private information for clients (which are required for trusted clients).
Scope: The scope of the client. If scope is undefined or empty (the default), the client scope is not restricted.
Authorizedgranttypes: The type of permission granted to the client. The default value is empty.
Authorities: Permissions granted to the client (Spring Normal security permissions).
In a running application, you can directly access hidden storage files (for example, database tables used in Jdbcclientdetailsservice) or by implementing Clientdetailsmanager Interface (You can also implement a Clientdetailsservice interface, or implement two interfaces) to update client information.
Manage Tokens
The Authorizationservertokenservices interface defines the operation method of the OAuth 2.0 token. Note the following points:
When you create an access token, you must save the permission information so that subsequent tokens can reference it.
The access token is used to load the authorization information when the token is created.
When creating an implementation class for the Authorizationservertokenservices interface, you might consider using the Defaulttokenservices class, which creates tokens with random values and handles all tokens except permanent tokens, for permanent tokens, It delegates the Tokenstore class for processing. The token defaults to memory-based storage, but there are other ways to store it. Here is a brief introduction to some of these ways:
The default Inmemorytokenstore processing class is ideal for single-server scenarios (with the advantage of low blocking, no need to switch eagerly to the backup server during downtime). Most projects can be used this way at the start or in development mode, which makes it easier to start a server that has no other dependencies.
The Jdbctokenstore class is the JDBC version that implements the storage token, which saves the token information to the relational database. You can use JDBC to store tokens if the database is shared between servers or if there are multiple instances of the same server, or if there are multiple components for the authorization server or resource server. When using the Jdbctokenstore class, you need to add the SPRING-JDBC component jar package to the project's compilation path.
A JSON Web page token (JWT) encrypts all the data that is authorized to be accessed by the token (so there is no need to store the data in the background, which is an important benefit of JWT). The disadvantage is that you cannot conveniently revoke an authorized token (so they are generally authorized for a shorter period of validity and revoke the authorization action in the Refresh token). Another drawback is that the stored token data is getting larger because a large amount of user certificate information is stored in the token. The Jwttokenstore class is not a real storage class, it does not persist (save) any data, but it plays the same role in transmitting token information and authorization information (implemented in the Defaulttokenservices Class). The Jwttokenstore (interface) class relies on the Jwtaccesstokenconverter class, and both the authorization server and the resource server require an implementation class for the interface (so they can safely use the same data and decode it). Tokens are signed by default, and the resource server needs to have the same symmetric key as the authorization server (the server shares the symmetric key) in order to be able to verify the signatures, or it needs to have a public key (public private key or hybrid key) that matches the private key of the signature. To use the Jwttokenstore class, you need to add the SPRING-SECURITY-JWT component jar package under the project compilation path (you can find it in the spring OAuth GitHub repository, but the version number is inconsistent).
Grant Type
Authorizationendpoint can be configured to support Grant types through authorizationserverendpointsconfigurer. All grant types are supported by default, except for passwords (for more information, see how the following information is turned on and off). The following properties affect the grant type:
? AuthenticationManager: The password grant is injected into a authenticationmanager open.
? Authorizationcodeservices: The Authorization Code service is defined for authentication code grant ( Org.springframework.security.oauth2.provider.code.AuthorizationCodeServices instance).
? Implicitgrantservice: The administrative state is implicitly granted.
? Tokengranter:tokengranter (Full control of granting and ignoring other attributes above)? The XML grant type includes child elements of the authorization-server.
Configure URLs for endpoints
Authorizationserverendpointsconfigurer has a pathmapping () method. The method has two parameters:
The URL path provided by the framework itself is/oauth/authorize (authorization side),/oauth/token (token side),/oauth/confirm_access (the user sends a confirmation authorization here), and/oauth/error ( The user renders a request for authorization server authorization error).
Note: The grant-side/oauth/authorize (or its innuendo) should be protected by spring security, so it can only be accessed by authorized users. The token-side default is protected by spring OAuth by using the note @configuration, which supports the secret of using the HTTP Basic Authentication client, but is not using an XML file (so in this case it is very clear that it is protected).
Using the <authorization-server/> element of XML, you can use some properties to change the default endpoint URL.
Custom error Handling
Error handling on the authorization server uses the standard Spring MVC feature, the method that @ExceptionHandler the endpoint itself. The user can also provide a webresponseexceptiontranslator endpoint itself, the best way is to change the content of the response rather than the way they are presented. The rendering of the exception represents the Httpmesssageconverters (this can be added to the MVC configuration) token endpoint and the OAuth error view (/oauth/error) of the authorization endpoint. Provides a Whitelabel error endpoint, but the user may need to provide a custom implementation (for example, add a @Controller whose request mapping is @RequestMapping ("/Oauth/error")).
Configure the resource server
A resource server (possibly with an authorization server or a separate application on the same host) provides resources that are protected by OAuth2 tokens. Spring OAuth provides a spring security authorization filter that implements the ability to protect resources. In the @configuration class, you can use @enableresourceserver to turn the filter on/off and configure it with Resourceserverconfigurer. The following are the configurable properties:
Tokenservices: The entity that defines the token service (an instance of the Resourceservertokenservices Class).
RESOURCEID: Resource ID (optional, recommended configuration, if not NULL, the authorization server validates it).
@EnableResourceServer annotations Add a Oauth2authenticationprocessingfilter type filter to the spring Security filter chain.
In XML, there is an <resource-server/> element, which has an id attribute – This is the bean ID of the servlet filter, which filters which can be added to the spring security chain.
Spring Security Primer (1-3) Spring Security oauth2.0 Guide