此版本仍在开发中,尚不被认为是稳定的。对于最新的稳定版本,请使用 Spring Authorization Server 1.5.2spring-doc.cadn.net.cn

协议端点

OAuth2 授权端点

OAuth2AuthorizationEndpointConfigurer提供自定义 OAuth2 授权端点的功能。 它定义了扩展点,允许您自定义 OAuth2 授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationEndpoint(authorizationEndpoint ->
					authorizationEndpoint
        				.authorizationRequestConverter(authorizationRequestConverter)   (1)
                        .authorizationRequestConverters(authorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .authorizationResponseHandler(authorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .consentPage("/oauth2/v1/authorize")    (7)
				)
		);

	return http.build();
}
1 authorizationRequestConverter():添加一个AuthenticationConverter (预处理器)尝试从HttpServletRequest设置为OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken.
2 authorizationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 authorizationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2AuthorizationCodeRequestAuthenticationToken并返回 OAuth2AuthorizationResponse
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthorizationCodeRequestAuthenticationException并返回 OAuth2Error 响应
7 consentPage():这URI的自定义同意页,以将资源所有者重定向到授权请求流期间是否需要同意。

OAuth2AuthorizationEndpointConfigurer配置OAuth2AuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationEndpointFilterFilter处理 OAuth2 授权请求(和同意)。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个DelegatingAuthenticationConverterOAuth2AuthorizationCodeRequestAuthenticationConverterOAuth2AuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2AuthorizationCodeRequestAuthenticationProviderOAuth2AuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2AuthorizationCodeRequestAuthenticationToken并返回OAuth2AuthorizationResponse.spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthorizationCodeRequestAuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

自定义授权请求验证

OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权代码授予中使用的特定 OAuth2 授权请求参数的默认验证器。 默认实现验证redirect_uriscope参数。 如果验证失败,则OAuth2AuthorizationCodeRequestAuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationProvider提供了通过提供类型Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationContext持有OAuth2AuthorizationCodeRequestAuthenticationToken,其中包含 OAuth2 授权请求参数。
如果验证失败,身份验证验证器必须抛出OAuth2AuthorizationCodeRequestAuthenticationException.

开发生命周期阶段的一个常见用例是允许localhostredirect_uri参数。spring-doc.cadn.net.cn

以下示例演示如何配置OAuth2AuthorizationCodeRequestAuthenticationProvider使用自定义身份验证验证器,允许localhostredirect_uri参数:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationEndpoint(authorizationEndpoint ->
					authorizationEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
				Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
					// Override default redirect_uri validator
					new CustomRedirectUriValidator()
						// Reuse default scope validator
						.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

				((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
			authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

		// Use exact string matching when comparing client redirect URIs against pre-registered URIs
		if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
		}
	}
}

OAuth2 设备授权终结点

OAuth2DeviceAuthorizationEndpointConfigurer提供自定义 OAuth2 设备授权终结点的功能。 它定义了扩展点,允许您自定义 OAuth2 设备授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
                    deviceAuthorizationEndpoint
                        .deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter)   (1)
                        .deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .verificationUri("/oauth2/v1/device_verification")  (7)
				)
		);

	return http.build();
}
1 deviceAuthorizationRequestConverter():添加一个AuthenticationConverter (预处理器)尝试HttpServletRequest设置为OAuth2DeviceAuthorizationRequestAuthenticationToken.
2 deviceAuthorizationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2DeviceAuthorizationRequestAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 deviceAuthorizationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2DeviceAuthorizationRequestAuthenticationToken并返回 OAuth2DeviceAuthorizationResponse
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应
7 verificationUri():这URI的自定义最终用户验证页面,以将资源所有者定向到辅助设备上。

OAuth2DeviceAuthorizationEndpointConfigurer配置OAuth2DeviceAuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceAuthorizationEndpointFilterFilter处理 OAuth2 设备授权请求。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OAuth2DeviceAuthorizationRequestAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2DeviceAuthorizationRequestAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2DeviceAuthorizationRequestAuthenticationToken并返回OAuth2DeviceAuthorizationResponse.spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 设备验证终结点

OAuth2DeviceVerificationEndpointConfigurer提供自定义 OAuth2 设备验证端点(或“用户交互”)的功能。 它定义了扩展点,允许您自定义 OAuth2 设备验证请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.deviceVerificationEndpoint(deviceVerificationEndpoint ->
                    deviceVerificationEndpoint
                        .deviceVerificationRequestConverter(deviceVerificationRequestConverter) (1)
                        .deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer)   (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .deviceVerificationResponseHandler(deviceVerificationResponseHandler)   (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .consentPage("/oauth2/v1/consent")  (7)
				)
		);

	return http.build();
}
1 deviceVerificationRequestConverter():添加一个AuthenticationConverter (预处理器)在尝试从HttpServletRequest设置为OAuth2DeviceVerificationAuthenticationTokenOAuth2DeviceAuthorizationConsentAuthenticationToken.
2 deviceVerificationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2DeviceVerificationAuthenticationTokenOAuth2DeviceAuthorizationConsentAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 deviceVerificationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2DeviceVerificationAuthenticationToken并指示资源所有者返回其设备。
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回错误响应。
7 consentPage():这URI的自定义同意页,以将资源所有者重定向到在设备验证请求流期间需要同意。

OAuth2DeviceVerificationEndpointConfigurer配置OAuth2DeviceVerificationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceVerificationEndpointFilterFilter处理 OAuth2 设备验证请求(和同意)。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个DelegatingAuthenticationConverterOAuth2DeviceVerificationAuthenticationConverterOAuth2DeviceAuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2DeviceVerificationAuthenticationProviderOAuth2DeviceAuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 一个SimpleUrlAuthenticationSuccessHandler处理“已验证”OAuth2DeviceVerificationAuthenticationToken并将用户重定向到成功页面(/?success).spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OAuth2 Tokens端点

OAuth2TokenEndpointConfigurer提供自定义 OAuth2 Tokens端点的功能。 它定义了扩展点,允许您自定义 OAuth2 访问Tokens请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenEndpoint(tokenEndpoint ->
                    tokenEndpoint
                        .accessTokenRequestConverter(accessTokenRequestConverter)   (1)
                        .accessTokenRequestConverters(accessTokenRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .accessTokenResponseHandler(accessTokenResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}
1 accessTokenRequestConverter():添加一个AuthenticationConverter (预处理器)尝试HttpServletRequest设置为OAuth2AuthorizationGrantAuthenticationToken.
2 accessTokenRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2AuthorizationGrantAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 accessTokenResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理OAuth2AccessTokenAuthenticationToken并返回OAuth2AccessTokenResponse.
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应

OAuth2TokenEndpointConfigurer配置OAuth2TokenEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenEndpointFilterFilter处理 OAuth2 访问Tokens请求。spring-doc.cadn.net.cn

支持的授权授予类型包括authorization_code,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:device_codeurn:ietf:params:oauth:grant-type:token-exchange.spring-doc.cadn.net.cn

OAuth2TokenEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个DelegatingAuthenticationConverterOAuth2AuthorizationCodeAuthenticationConverter,OAuth2RefreshTokenAuthenticationConverter,OAuth2ClientCredentialsAuthenticationConverter,OAuth2DeviceCodeAuthenticationConverterOAuth2TokenExchangeAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2AuthorizationCodeAuthenticationProvider,OAuth2RefreshTokenAuthenticationProvider,OAuth2ClientCredentialsAuthenticationProvider,OAuth2DeviceCodeAuthenticationProviderOAuth2TokenExchangeAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 一个OAuth2AccessTokenResponseAuthenticationSuccessHandler.spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

自定义客户端凭据授予请求验证

OAuth2ClientCredentialsAuthenticationValidator是用于验证特定 OAuth2 客户端凭据授予请求参数的默认验证器。 默认实现验证scope参数。 如果验证失败,则OAuth2AuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationProvider通过提供类型为Consumer<OAuth2ClientCredentialsAuthenticationContext>setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationContext持有OAuth2ClientCredentialsAuthenticationToken,其中包含 OAuth2 客户端凭据授予请求参数。
如果验证失败,身份验证验证器必须抛出OAuth2AuthenticationException.

以下示例演示如何配置OAuth2ClientCredentialsAuthenticationProvider使用自定义身份验证验证器来覆盖默认的scope验证:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenEndpoint(tokenEndpoint ->
                    tokenEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
				Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
					new CustomScopeValidator();

				// Override default scope validation
				((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {

	@Override
	public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
			authenticationContext.getAuthentication();

		Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		Set<String> allowedScopes = registeredClient.getScopes();

        // TODO Implement scope validation

	}
}

OAuth2 Tokens自检端点

OAuth2TokenIntrospectionEndpointConfigurer提供了自定义 OAuth2 Tokens自检端点的功能。 它定义了扩展点,允许您自定义 OAuth2 自检请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
                    tokenIntrospectionEndpoint
                        .introspectionRequestConverter(introspectionRequestConverter)   (1)
                        .introspectionRequestConverters(introspectionRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .introspectionResponseHandler(introspectionResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}
1 introspectionRequestConverter():添加一个AuthenticationConverter (预处理器)在尝试从HttpServletRequest设置为OAuth2TokenIntrospectionAuthenticationToken.
2 introspectionRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2TokenIntrospectionAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 introspectionResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2TokenIntrospectionAuthenticationToken并返回 OAuth2TokenIntrospection 响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应

OAuth2TokenIntrospectionEndpointConfigurer配置OAuth2TokenIntrospectionEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenIntrospectionEndpointFilterFilter处理 OAuth2 内省请求。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OAuth2TokenIntrospectionAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2TokenIntrospectionAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2TokenIntrospectionAuthenticationToken并返回OAuth2TokenIntrospection响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 Tokens吊销终结点

OAuth2TokenRevocationEndpointConfigurer提供自定义 OAuth2 Tokens吊销端点的功能。它定义了扩展点,允许您自定义 OAuth2 吊销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenRevocationEndpoint(tokenRevocationEndpoint ->
                    tokenRevocationEndpoint
                        .revocationRequestConverter(revocationRequestConverter) (1)
                        .revocationRequestConverters(revocationRequestConvertersConsumer)   (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .revocationResponseHandler(revocationResponseHandler)   (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}
1 revocationRequestConverter():添加一个AuthenticationConverter (预处理器)当尝试从HttpServletRequest设置为OAuth2TokenRevocationAuthenticationToken.
2 revocationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2TokenRevocationAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 revocationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应

OAuth2TokenRevocationEndpointConfigurer配置OAuth2TokenRevocationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenRevocationEndpointFilterFilter处理 OAuth2 吊销请求。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OAuth2TokenRevocationAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2TokenRevocationAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 授权服务器元数据终结点

OAuth2AuthorizationServerMetadataEndpointConfigurer提供自定义 OAuth2 授权服务器元数据端点的功能。它定义了一个扩展点,用于自定义 OAuth2 授权服务器元数据响应spring-doc.cadn.net.cn

OAuth2AuthorizationServerMetadataEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
                    authorizationServerMetadataEndpoint
                        .authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer)   (1)
				)
		);

	return http.build();
}
1 authorizationServerMetadataCustomizer():这Consumer提供对OAuth2AuthorizationServerMetadata.Builder允许自定义授权服务器配置的声明。

OAuth2AuthorizationServerMetadataEndpointConfigurer配置OAuth2AuthorizationServerMetadataEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationServerMetadataEndpointFilterFilter返回 OAuth2AuthorizationServerMetadata 响应spring-doc.cadn.net.cn

JWK 设置端点

OAuth2AuthorizationServerConfigurer提供对 JWK Set 端点的支持。spring-doc.cadn.net.cn

OAuth2AuthorizationServerConfigurer配置NimbusJwkSetEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.NimbusJwkSetEndpointFilterFilter返回 JWK 集spring-doc.cadn.net.cn

JWKSource<SecurityContext> @Bean已注册。

OpenID Connect 1.0 提供程序配置端点

OidcProviderConfigurationEndpointConfigurer提供自定义 OpenID Connect 1.0 提供程序配置端点的功能。它定义了一个扩展点,允许您自定义 OpenID 提供程序配置响应spring-doc.cadn.net.cn

OidcProviderConfigurationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .providerConfigurationEndpoint(providerConfigurationEndpoint ->
                            providerConfigurationEndpoint
                                .providerConfigurationCustomizer(providerConfigurationCustomizer)   (1)
                        )
                )
		);

	return http.build();
}
1 providerConfigurationCustomizer():这Consumer提供对OidcProviderConfiguration.Builder允许自定义 OpenID 提供程序配置的声明。

OidcProviderConfigurationEndpointConfigurer配置OidcProviderConfigurationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcProviderConfigurationEndpointFilterFilter返回 OidcProviderConfiguration 响应spring-doc.cadn.net.cn

OpenID Connect 1.0 注销端点

OidcLogoutEndpointConfigurer提供了自定义 OpenID Connect 1.0 注销端点的功能。它定义了扩展点,允许您自定义 RP 发起的注销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcLogoutEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .logoutEndpoint(logoutEndpoint ->
                            logoutEndpoint
                                .logoutRequestConverter(logoutRequestConverter) (1)
                                .logoutRequestConverters(logoutRequestConvertersConsumer)   (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .logoutResponseHandler(logoutResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                        )
                )
		);

	return http.build();
}
1 logoutRequestConverter():添加一个AuthenticationConverter (预处理器)在尝试从HttpServletRequest设置为OidcLogoutAuthenticationToken.
2 logoutRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OidcLogoutAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 logoutResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OidcLogoutAuthenticationToken并执行注销。
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回错误响应。

OidcLogoutEndpointConfigurer配置OidcLogoutEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcLogoutEndpointFilterFilter处理 RP 发起的注销请求并执行最终用户的注销。spring-doc.cadn.net.cn

OidcLogoutEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

OidcLogoutAuthenticationProvider使用SessionRegistry查找SessionInformation与请求注销的最终用户关联的实例。
OidcClientInitiatedLogoutSuccessHandler是 Spring Security 的 OAuth2 客户端支持配置 OpenID Connect 1.0 RP-Initiated Logout 的相应配置。

自定义注销请求验证

OidcLogoutAuthenticationValidator是用于验证特定 OpenID Connect RP 发起的注销请求参数的默认验证器。 默认实现验证post_logout_redirect_uri参数。 如果验证失败,则OAuth2AuthenticationException被抛出。spring-doc.cadn.net.cn

OidcLogoutAuthenticationProvider通过提供类型Consumer<OidcLogoutAuthenticationContext>setAuthenticationValidator().spring-doc.cadn.net.cn

OidcLogoutAuthenticationContext持有OidcLogoutAuthenticationToken,其中包含注销请求参数。
如果验证失败,身份验证验证器必须抛出OAuth2AuthenticationException.

以下示例演示如何配置OidcLogoutAuthenticationProvider使用自定义身份验证验证器:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .logoutEndpoint(logoutEndpoint ->
                            logoutEndpoint
                                .authenticationProviders(configureAuthenticationValidator())
                        )
                )
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
			authenticationProviders.forEach((authenticationProvider) -> {
				if (authenticationProvider instanceof OidcLogoutAuthenticationProvider oidcLogoutAuthenticationProvider) {
					Consumer<OidcLogoutAuthenticationContext> authenticationValidator = new CustomPostLogoutRedirectUriValidator();
					oidcLogoutAuthenticationProvider.setAuthenticationValidator(authenticationValidator);
				}
			});
}

static class CustomPostLogoutRedirectUriValidator implements Consumer<OidcLogoutAuthenticationContext> {

	@Override
	public void accept(OidcLogoutAuthenticationContext authenticationContext) {
		OidcLogoutAuthenticationToken oidcLogoutAuthentication =
				authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();

		// TODO

	}
}

OpenID Connect 1.0 用户信息端点

OidcUserInfoEndpointConfigurer提供了自定义 OpenID Connect 1.0 UserInfo 端点的功能。 它定义了扩展点,允许您自定义 UserInfo 请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcUserInfoEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .userInfoEndpoint(userInfoEndpoint ->
                            userInfoEndpoint
                                .userInfoRequestConverter(userInfoRequestConverter) (1)
                                .userInfoRequestConverters(userInfoRequestConvertersConsumer)   (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .userInfoResponseHandler(userInfoResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                                .userInfoMapper(userInfoMapper) (7)
                        )
                )
		);

	return http.build();
}
1 userInfoRequestConverter():添加一个AuthenticationConverter (预处理器)尝试HttpServletRequest设置为OidcUserInfoAuthenticationToken.
2 userInfoRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OidcUserInfoAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 userInfoResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OidcUserInfoAuthenticationToken并返回 UserInfo 响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 UserInfo Error 响应
7 userInfoMapper():这Function用于从OidcUserInfoAuthenticationContext设置为OidcUserInfo.

OidcUserInfoEndpointConfigurer配置OidcUserInfoEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcUserInfoEndpointFilterFilter处理 UserInfo 请求并返回 OidcUserInfo 响应spring-doc.cadn.net.cn

OidcUserInfoEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 获取AuthenticationSecurityContext并创建一个OidcUserInfoAuthenticationToken与校长。spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOidcUserInfoAuthenticationProvider,它与userInfoMapper根据授权期间请求的范围ID Tokens中提取标准声明spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OidcUserInfoAuthenticationToken并返回OidcUserInfo响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext> @Bean.

OpenID Connect 1.0 UserInfo 端点是受 OAuth2 保护的资源,它要求UserInfo 请求中将访问Tokens作为持有者Tokens发送。spring-doc.cadn.net.cn

OAuth2 资源服务器支持是自动配置的,但是,JwtDecoder @Bean对于 OpenID Connect 1.0 UserInfo 端点来说是必需的
指南作方法:自定义 OpenID Connect 1.0 UserInfo 响应包含自定义 UserInfo 端点的示例。

OpenID Connect 1.0 客户端注册终结点

OidcClientRegistrationEndpointConfigurer提供了自定义 OpenID Connect 1.0 客户端注册端点的功能。 它定义了扩展点,允许您自定义客户端注册请求客户端读取请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcClientRegistrationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .clientRegistrationEndpoint(clientRegistrationEndpoint ->
                            clientRegistrationEndpoint
                                .clientRegistrationRequestConverter(clientRegistrationRequestConverter) (1)
                                .clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers)  (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .clientRegistrationResponseHandler(clientRegistrationResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                        )
                )
		);

	return http.build();
}
1 clientRegistrationRequestConverter():添加一个AuthenticationConverter (预处理器)尝试从中提取客户端注册请求客户端读取请求时使用HttpServletRequest设置为OidcClientRegistrationAuthenticationToken.
2 clientRegistrationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OidcClientRegistrationAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 clientRegistrationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OidcClientRegistrationAuthenticationToken并返回客户端注册响应客户端读取响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回客户端注册错误响应客户端读取错误响应
默认情况下,OpenID Connect 1.0 客户端注册端点处于禁用状态,因为许多部署不需要动态客户端注册。

OidcClientRegistrationEndpointConfigurer配置OidcClientRegistrationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcClientRegistrationEndpointFilterFilter处理客户端注册请求并返回 OidcClientRegistration 响应spring-doc.cadn.net.cn

OidcClientRegistrationEndpointFilter还处理客户端读取请求并返回 OidcClientRegistration 响应

OidcClientRegistrationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OidcClientRegistrationAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOidcClientRegistrationAuthenticationProviderOidcClientConfigurationAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OidcClientRegistrationAuthenticationToken并返回OidcClientRegistration响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OpenID Connect 1.0 客户端注册端点是受 OAuth2 保护的资源,它要求在客户端注册(或客户端读取)请求中将访问Tokens作为持有者Tokens发送。spring-doc.cadn.net.cn

OAuth2 资源服务器支持是自动配置的,但是,JwtDecoder @Bean对于 OpenID Connect 1.0 客户端注册终结点是必需的
客户端注册请求中的访问Tokens需要 OAuth2 范围client.create.
客户端读取请求中的访问Tokens需要 OAuth2 范围client.read.