此版本仍在开发中，尚未被视为稳定版本。对于最新的稳定版本，请使用 Spring Authorization Server 1.5.0！spring-doc.cadn.net.cn

协议端点

OAuth2 授权端点

OAuth2AuthorizationEndpointConfigurer提供自定义 OAuth2 授权端点的功能。它定义了扩展点，允许您自定义 OAuth2 授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationEndpoint(authorizationEndpoint ->
					authorizationEndpoint
        				.authorizationRequestConverter(authorizationRequestConverter)   (1)
                        .authorizationRequestConverters(authorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .authorizationResponseHandler(authorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .consentPage("/oauth2/v1/authorize")    (7)
				)
		);

	return http.build();
}

1	`authorizationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 授权请求（或同意）时使用`HttpServletRequest`添加到`OAuth2AuthorizationCodeRequestAuthenticationToken`或`OAuth2AuthorizationConsentAuthenticationToken`.
2	`authorizationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2AuthorizationCodeRequestAuthenticationToken`或`OAuth2AuthorizationConsentAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`authorizationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2AuthorizationCodeRequestAuthenticationToken`并返回 OAuth2AuthorizationResponse。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthorizationCodeRequestAuthenticationException`并返回 OAuth2Error 响应。
7	`consentPage()`：这`URI`，以便在授权请求流程中将资源所有者重定向到是否需要同意。

OAuth2AuthorizationEndpointConfigurer配置OAuth2AuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationEndpointFilter是Filter处理 OAuth2 授权请求（和同意）。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2AuthorizationCodeRequestAuthenticationConverter和OAuth2AuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2AuthorizationCodeRequestAuthenticationProvider和OAuth2AuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2AuthorizationCodeRequestAuthenticationToken并返回OAuth2AuthorizationResponse.spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthorizationCodeRequestAuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

自定义授权请求验证

OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权码授予中使用的特定 OAuth2 授权请求参数的默认验证器。默认实现会验证redirect_uri和scope参数。如果验证失败，则OAuth2AuthorizationCodeRequestAuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationProvider通过提供Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>自setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationContext持有OAuth2AuthorizationCodeRequestAuthenticationToken，其中包含 OAuth2 授权请求参数。

如果验证失败，身份验证验证器必须抛出OAuth2AuthorizationCodeRequestAuthenticationException.

在开发生命周期阶段，一个常见的用例是允许localhost在redirect_uri参数。spring-doc.cadn.net.cn

以下示例显示如何配置OAuth2AuthorizationCodeRequestAuthenticationProvider使用自定义身份验证验证器，允许localhost在redirect_uri参数：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationEndpoint(authorizationEndpoint ->
					authorizationEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
				Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
					// Override default redirect_uri validator
					new CustomRedirectUriValidator()
						// Reuse default scope validator
						.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

				((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
			authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

		// Use exact string matching when comparing client redirect URIs against pre-registered URIs
		if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
		}
	}
}

OAuth2 推送的授权请求端点

OAuth2PushedAuthorizationRequestEndpointConfigurer提供自定义 OAuth2 Push Authorization Request 端点的功能。它定义了扩展点，允许您自定义 OAuth2 推送授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2PushedAuthorizationRequestEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.pushedAuthorizationRequestEndpoint(pushedAuthorizationRequestEndpoint ->
					pushedAuthorizationRequestEndpoint
        				.pushedAuthorizationRequestConverter(pushedAuthorizationRequestConverter)   (1)
                        .pushedAuthorizationRequestConverters(pushedAuthorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .pushedAuthorizationResponseHandler(pushedAuthorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}

1	`pushedAuthorizationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 推送的授权请求时使用`HttpServletRequest`添加到`OAuth2PushedAuthorizationRequestAuthenticationToken`.
2	`pushedAuthorizationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2PushedAuthorizationRequestAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`pushedAuthorizationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2PushedAuthorizationRequestAuthenticationToken`并返回 OAuth2 推送的授权响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。

OAuth2PushedAuthorizationRequestEndpointConfigurer配置OAuth2PushedAuthorizationRequestEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2PushedAuthorizationRequestEndpointFilter是Filter处理 OAuth2 推送的授权请求。spring-doc.cadn.net.cn

OAuth2PushedAuthorizationRequestEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2AuthorizationCodeRequestAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2PushedAuthorizationRequestAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2PushedAuthorizationRequestAuthenticationToken并返回 OAuth2 推送的授权响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

自定义推送的授权请求验证

OAuth2AuthorizationCodeRequestAuthenticationValidator是默认验证器，用于验证授权码授予中使用的特定 OAuth2 推送授权请求参数。默认实现会验证redirect_uri和scope参数。如果验证失败，则OAuth2AuthorizationCodeRequestAuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2PushedAuthorizationRequestAuthenticationProvider通过提供Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>自setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationContext持有OAuth2AuthorizationCodeRequestAuthenticationToken，其中包含 OAuth2 推送的授权请求参数。

如果验证失败，身份验证验证器必须抛出OAuth2AuthorizationCodeRequestAuthenticationException.

在开发生命周期阶段，一个常见的用例是允许localhost在redirect_uri参数。spring-doc.cadn.net.cn

以下示例显示如何配置OAuth2PushedAuthorizationRequestAuthenticationProvider使用自定义身份验证验证器，允许localhost在redirect_uri参数：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.pushedAuthorizationRequestEndpoint(pushedAuthorizationRequestEndpoint ->
					pushedAuthorizationRequestEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2PushedAuthorizationRequestAuthenticationProvider) {
				Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
					// Override default redirect_uri validator
					new CustomRedirectUriValidator()
						// Reuse default scope validator
						.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

				((OAuth2PushedAuthorizationRequestAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
			authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

		// Use exact string matching when comparing client redirect URIs against pre-registered URIs
		if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
		}
	}
}

OAuth2 设备授权端点

OAuth2DeviceAuthorizationEndpointConfigurer提供自定义 OAuth2 设备授权端点的功能。它定义了扩展点，允许您自定义 OAuth2 设备授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
                    deviceAuthorizationEndpoint
                        .deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter)   (1)
                        .deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .verificationUri("/oauth2/v1/device_verification")  (7)
				)
		);

	return http.build();
}

1	`deviceAuthorizationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 设备授权请求时使用`HttpServletRequest`添加到`OAuth2DeviceAuthorizationRequestAuthenticationToken`.
2	`deviceAuthorizationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2DeviceAuthorizationRequestAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`deviceAuthorizationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2DeviceAuthorizationRequestAuthenticationToken`并返回 OAuth2DeviceAuthorizationResponse。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。
7	`verificationUri()`：这`URI`将资源所有者定向到辅助设备上。

OAuth2DeviceAuthorizationEndpointConfigurer配置OAuth2DeviceAuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceAuthorizationEndpointFilter是Filter处理 OAuth2 设备授权请求。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OAuth2DeviceAuthorizationRequestAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2DeviceAuthorizationRequestAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2DeviceAuthorizationRequestAuthenticationToken并返回OAuth2DeviceAuthorizationResponse.spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 设备验证端点

OAuth2DeviceVerificationEndpointConfigurer提供自定义 OAuth2 设备验证端点（或“用户交互”）的功能。它定义了扩展点，允许您自定义 OAuth2 设备验证请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.deviceVerificationEndpoint(deviceVerificationEndpoint ->
                    deviceVerificationEndpoint
                        .deviceVerificationRequestConverter(deviceVerificationRequestConverter) (1)
                        .deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer)   (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .deviceVerificationResponseHandler(deviceVerificationResponseHandler)   (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .consentPage("/oauth2/v1/consent")  (7)
				)
		);

	return http.build();
}

1	`deviceVerificationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 设备验证请求（或同意）时使用`HttpServletRequest`添加到`OAuth2DeviceVerificationAuthenticationToken`或`OAuth2DeviceAuthorizationConsentAuthenticationToken`.
2	`deviceVerificationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2DeviceVerificationAuthenticationToken`或`OAuth2DeviceAuthorizationConsentAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`deviceVerificationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2DeviceVerificationAuthenticationToken`并指示资源所有者返回到其设备。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回错误响应。
7	`consentPage()`：这`URI`，将资源所有者重定向到在设备验证请求流程中是否需要同意。

OAuth2DeviceVerificationEndpointConfigurer配置OAuth2DeviceVerificationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceVerificationEndpointFilter是Filter处理 OAuth2 设备验证请求（和同意）。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2DeviceVerificationAuthenticationConverter和OAuth2DeviceAuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2DeviceVerificationAuthenticationProvider和OAuth2DeviceAuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 一个SimpleUrlAuthenticationSuccessHandler处理 “authenticated”OAuth2DeviceVerificationAuthenticationToken并将用户重定向到成功页面（/?success).spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OAuth2 Tokens端点

OAuth2TokenEndpointConfigurer提供自定义 OAuth2 Tokens端点的功能。它定义了扩展点，允许您自定义 OAuth2 访问Tokens请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenEndpoint(tokenEndpoint ->
                    tokenEndpoint
                        .accessTokenRequestConverter(accessTokenRequestConverter)   (1)
                        .accessTokenRequestConverters(accessTokenRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .accessTokenResponseHandler(accessTokenResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}

1	`accessTokenRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 访问Tokens请求时使用`HttpServletRequest`添加到`OAuth2AuthorizationGrantAuthenticationToken`.
2	`accessTokenRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2AuthorizationGrantAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`accessTokenResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理`OAuth2AccessTokenAuthenticationToken`并返回`OAuth2AccessTokenResponse`.
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。

OAuth2TokenEndpointConfigurer配置OAuth2TokenEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenEndpointFilter是Filter处理 OAuth2 访问Tokens请求。spring-doc.cadn.net.cn

支持的授权授权类型包括authorization_code,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:device_code和urn:ietf:params:oauth:grant-type:token-exchange.spring-doc.cadn.net.cn

OAuth2TokenEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2AuthorizationCodeAuthenticationConverter,OAuth2RefreshTokenAuthenticationConverter,OAuth2ClientCredentialsAuthenticationConverter,OAuth2DeviceCodeAuthenticationConverter和OAuth2TokenExchangeAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2AuthorizationCodeAuthenticationProvider,OAuth2RefreshTokenAuthenticationProvider,OAuth2ClientCredentialsAuthenticationProvider,OAuth2DeviceCodeAuthenticationProvider和OAuth2TokenExchangeAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 一个OAuth2AccessTokenResponseAuthenticationSuccessHandler.spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

自定义客户端身份凭证授权请求验证

OAuth2ClientCredentialsAuthenticationValidator是用于验证特定 OAuth2 客户端凭证授予请求参数的默认验证器。默认实现会验证scope参数。如果验证失败，则OAuth2AuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationProvider通过提供 type 为Consumer<OAuth2ClientCredentialsAuthenticationContext>自setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationContext持有OAuth2ClientCredentialsAuthenticationToken，其中包含 OAuth2 客户端凭证授予请求参数。

如果验证失败，身份验证验证器必须抛出OAuth2AuthenticationException.

以下示例显示如何配置OAuth2ClientCredentialsAuthenticationProvider替换为覆盖默认scope验证：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenEndpoint(tokenEndpoint ->
                    tokenEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
				Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
					new CustomScopeValidator();

				// Override default scope validation
				((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {

	@Override
	public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
			authenticationContext.getAuthentication();

		Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		Set<String> allowedScopes = registeredClient.getScopes();

        // TODO Implement scope validation

	}
}

DPoP 绑定访问Tokens

RFC 9449 OAuth 2.0 演示所有权证明（DPoP）是一种应用程序级机制，用于对访问Tokens进行发送者约束。spring-doc.cadn.net.cn

DPoP 的主要目标是防止未经授权或非法的客户端使用泄露或被盗的访问Tokens，方法是在授权服务器颁发访问Tokens时将访问Tokens绑定到公钥，并要求客户端在资源服务器上使用访问Tokens时证明拥有相应的私钥。spring-doc.cadn.net.cn

通过 DPoP 受发送方约束的访问Tokens与典型的不记名Tokens形成鲜明对比，后者可由拥有访问Tokens的任何客户端使用。spring-doc.cadn.net.cn

DPoP 引入了 DPoP 证明的概念，它是由客户端创建并作为 HTTP 请求中的标头发送的 JWT。客户端使用 DPoP 证明来证明拥有与某个公钥对应的私钥。spring-doc.cadn.net.cn

当客户端发起访问Tokens请求时，它会在 HTTP 标头中将 DPoP 证明附加到请求。授权服务器将访问Tokens绑定（发送者约束）到 DPoP 证明中关联的公钥。spring-doc.cadn.net.cn

当客户端发起受保护资源请求时，它会再次将 DPoP 证明附加到 HTTP 标头中的请求。spring-doc.cadn.net.cn

资源服务器直接在访问Tokens （JWT）中或通过 OAuth2 Tokens自省端点获取有关绑定到访问Tokens的公钥的信息。然后，资源服务器验证绑定到访问Tokens的公钥是否与 DPoP 证明中的公钥匹配。它还验证 DPoP 证明中的访问Tokens哈希是否与请求中的访问Tokens匹配。spring-doc.cadn.net.cn

DPoP 访问Tokens请求

要请求使用 DPoP 绑定到公钥的访问Tokens，客户端必须在DPoP标头。这适用于所有访问Tokens请求，无论授权授权类型如何（例如authorization_code,refresh_token,client_credentials等）。spring-doc.cadn.net.cn

以下 HTTP 请求显示了authorization_code访问Tokens请求，并在DPoP页眉：spring-doc.cadn.net.cn

POST /oauth2/token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
DPoP: eyJraWQiOiJyc2EtandrLWtpZCIsInR5cCI6ImRwb3Arand0IiwiYWxnIjoiUlMyNTYiLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJraWQiOiJyc2EtandrLWtpZCIsIm4iOiIzRmxxSnI1VFJza0lRSWdkRTNEZDdEOWxib1dkY1RVVDhhLWZKUjdNQXZRbTdYWE5vWWttM3Y3TVFMMU5ZdER2TDJsOENBbmMwV2RTVElOVTZJUnZjNUtxbzJRNGNzTlg5U0hPbUVmem9ST2pRcWFoRWN2ZTFqQlhsdW9DWGRZdVlweDRfMXRmUmdHNmlpNFVoeGg2aUk4cU5NSlFYLWZMZnFoYmZZZnhCUVZSUHl3QmtBYklQNHgxRUFzYkM2RlNObWtoQ3hpTU5xRWd4YUlwWThDMmtKZEpfWklWLVdXNG5vRGR6cEtxSGN3bUI4RnNydW1sVllfRE5WdlVTRElpcGlxOVBiUDRIOTlUWE4xbzc0Nm9SYU5hMDdycTFob0NnTVNTeS04NVNhZ0NveGxteUUtRC1vZjlTc01ZOE9sOXQwcmR6cG9iQnVoeUpfbzVkZnZqS3cifX0.eyJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vb2F1dGgyL3Rva2VuIiwiaWF0IjoxNzQ2ODA2MzA1LCJqdGkiOiI0YjIzNDBkMi1hOTFmLTQwYTUtYmFhOS1kZDRlNWRlYWM4NjcifQ.wq8gJ_G6vpiEinfaY3WhereqCCLoeJOG8tnWBBAzRWx9F1KU5yAAWq-ZVCk_k07-h6DIqz2wgv6y9dVbNpRYwNwDUeik9qLRsC60M8YW7EFVyI3n_NpujLwzZeub_nDYMVnyn4ii0NaZrYHtoGXOlswQfS_-ET-jpC0XWm5nBZsCdUEXjOYtwaACC6Js-pyNwKmSLp5SKIk11jZUR5xIIopaQy521y9qJHhGRwzj8DQGsP7wMZ98UFL0E--1c-hh4rTy8PMeWCqRHdwjj_ry_eTe0DJFcxxYQdeL7-0_0CIO4Ayx5WHEpcUOIzBRoN32RsNpDZc-5slDNj9ku004DA

grant_type=authorization_code\
&client_id=s6BhdRkqt\
&code=SplxlOBeZQQYbYS6WxSbIA\
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb\
&code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-

下面显示了 DPoP Proof JWT 标头和声明的表示形式：spring-doc.cadn.net.cn

{
  "typ": "dpop+jwt",
  "alg": "RS256",
  "jwk": {
    "kty": "RSA",
    "e": "AQAB",
    "n": "3FlqJr5TRskIQIgdE3Dd7D9lboWdcTUT8a-fJR7MAvQm7XXNoYkm3v7MQL1NYtDvL2l8CAnc0WdSTINU6IRvc5Kqo2Q4csNX9SHOmEfzoROjQqahEcve1jBXluoCXdYuYpx4_1tfRgG6ii4Uhxh6iI8qNMJQX-fLfqhbfYfxBQVRPywBkAbIP4x1EAsbC6FSNmkhCxiMNqEgxaIpY8C2kJdJ_ZIV-WW4noDdzpKqHcwmB8FsrumlVY_DNVvUSDIipiq9PbP4H99TXN1o746oRaNa07rq1hoCgMSSy-85SagCoxlmyE-D-of9SsMY8Ol9t0rdzpobBuhyJ_o5dfvjKw"
  }
}

{
  "htm": "POST",
  "htu": "https://server.example.com/oauth2/token",
  "iat": 1746806305,
  "jti": "4b2340d2-a91f-40a5-baa9-dd4e5deac867"
}

以下代码显示了如何生成 DPoP 证明 JWT 的示例：spring-doc.cadn.net.cn

RSAKey rsaKey = ...
JWKSource<SecurityContext> jwkSource = (jwkSelector, securityContext) -> jwkSelector
		.select(new JWKSet(rsaKey));
NimbusJwtEncoder jwtEncoder = new NimbusJwtEncoder(jwkSource);

JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256)
		.type("dpop+jwt")
		.jwk(rsaKey.toPublicJWK().toJSONObject())
		.build();
JwtClaimsSet claims = JwtClaimsSet.builder()
		.issuedAt(Instant.now())
		.claim("htm", "POST")
		.claim("htu", "https://server.example.com/oauth2/token")
		.id(UUID.randomUUID().toString())
		.build();

Jwt dPoPProof = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, claims));

授权服务器成功验证 DPoP 证明后，DPoP 证明中的公钥将被绑定（发件人约束）到颁发的访问Tokens。spring-doc.cadn.net.cn

以下访问Tokens响应显示token_typeparameter 指定为DPoP向客户端发出信号，表明访问Tokens已绑定到其 DPoP 证明公钥：spring-doc.cadn.net.cn

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
 "access_token": "Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU",
 "token_type": "DPoP",
 "expires_in": 2677
}

公钥确认

资源服务器必须能够识别访问Tokens是否受 DPoP 绑定，并验证是否绑定到 DPoP 证明的公钥。绑定是通过以资源服务器可以访问的方式将公钥与访问Tokens相关联来实现的，例如将公钥哈希直接嵌入访问Tokens （JWT）或通过Tokens自省。spring-doc.cadn.net.cn

当访问Tokens表示为 JWT 时，公钥哈希包含在jkt确认方法（cnf）声明。spring-doc.cadn.net.cn

以下示例显示了包含cnf声明中带有jktclaim，这是 DPoP 证明公钥的 JWK SHA-256 指纹：spring-doc.cadn.net.cn

{
  "sub":"[email protected]",
  "iss":"https://server.example.com",
  "nbf":1562262611,
  "exp":1562266216,
  "cnf":
  {
    "jkt":"CQMknzRoZ5YUi7vS58jck1q8TmZT8wiIiXrCN1Ny4VU"
  }
}

OAuth2 Tokens自省端点

OAuth2TokenIntrospectionEndpointConfigurer提供自定义 OAuth2 Tokens自检端点的功能。它定义了扩展点，允许您自定义 OAuth2 自省请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
                    tokenIntrospectionEndpoint
                        .introspectionRequestConverter(introspectionRequestConverter)   (1)
                        .introspectionRequestConverters(introspectionRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .introspectionResponseHandler(introspectionResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}

1	`introspectionRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 内省请求时使用`HttpServletRequest`添加到`OAuth2TokenIntrospectionAuthenticationToken`.
2	`introspectionRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2TokenIntrospectionAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`introspectionResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2TokenIntrospectionAuthenticationToken`并返回 OAuth2TokenIntrospection 响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。

OAuth2TokenIntrospectionEndpointConfigurer配置OAuth2TokenIntrospectionEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenIntrospectionEndpointFilter是Filter处理 OAuth2 自省请求。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OAuth2TokenIntrospectionAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2TokenIntrospectionAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2TokenIntrospectionAuthenticationToken并返回OAuth2TokenIntrospection响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 Tokens吊销端点

OAuth2TokenRevocationEndpointConfigurer提供自定义 OAuth2 Tokens吊销端点的功能。它定义了扩展点，允许您自定义 OAuth2 吊销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenRevocationEndpoint(tokenRevocationEndpoint ->
                    tokenRevocationEndpoint
                        .revocationRequestConverter(revocationRequestConverter) (1)
                        .revocationRequestConverters(revocationRequestConvertersConsumer)   (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .revocationResponseHandler(revocationResponseHandler)   (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}

1	`revocationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 吊销请求时使用`HttpServletRequest`添加到`OAuth2TokenRevocationAuthenticationToken`.
2	`revocationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2TokenRevocationAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`revocationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2TokenRevocationAuthenticationToken`并返回 OAuth2 吊销响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。

OAuth2TokenRevocationEndpointConfigurer配置OAuth2TokenRevocationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenRevocationEndpointFilter是Filter处理 OAuth2 吊销请求。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OAuth2TokenRevocationAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2TokenRevocationAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 授权服务器元数据端点

OAuth2AuthorizationServerMetadataEndpointConfigurer提供自定义 OAuth2 授权服务器元数据端点的功能。它定义了一个扩展点，允许您自定义 OAuth2 Authorization Server 元数据响应。spring-doc.cadn.net.cn

OAuth2AuthorizationServerMetadataEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
                    authorizationServerMetadataEndpoint
                        .authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer)   (1)
				)
		);

	return http.build();
}

1	`authorizationServerMetadataCustomizer()`：这`Consumer`提供对`OAuth2AuthorizationServerMetadata.Builder`允许自定义 Authorization Server 配置的声明。

OAuth2AuthorizationServerMetadataEndpointConfigurer配置OAuth2AuthorizationServerMetadataEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationServerMetadataEndpointFilter是Filter返回 OAuth2AuthorizationServerMetadata 响应。spring-doc.cadn.net.cn

JWK 设置端点

OAuth2AuthorizationServerConfigurer提供对 JWK Set 端点的支持。spring-doc.cadn.net.cn

OAuth2AuthorizationServerConfigurer配置NimbusJwkSetEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.NimbusJwkSetEndpointFilter是Filter，这将返回 JWK 集。spring-doc.cadn.net.cn

仅当 JWK Set 的JWKSource<SecurityContext> @Bean已注册。

OpenID Connect 1.0 提供者配置终端节点

OidcProviderConfigurationEndpointConfigurer提供自定义 OpenID Connect 1.0 提供程序配置终端节点的功能。它定义了一个扩展点，允许您自定义 OpenID Provider Configuration 响应。spring-doc.cadn.net.cn

OidcProviderConfigurationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .providerConfigurationEndpoint(providerConfigurationEndpoint ->
                            providerConfigurationEndpoint
                                .providerConfigurationCustomizer(providerConfigurationCustomizer)   (1)
                        )
                )
		);

	return http.build();
}

1	`providerConfigurationCustomizer()`：这`Consumer`提供对`OidcProviderConfiguration.Builder`允许自定义 OpenID Provider 配置的声明。

OidcProviderConfigurationEndpointConfigurer配置OidcProviderConfigurationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcProviderConfigurationEndpointFilter是Filter，这将返回 OidcProviderConfiguration 响应。spring-doc.cadn.net.cn

OpenID Connect 1.0 注销端点

OidcLogoutEndpointConfigurer提供自定义 OpenID Connect 1.0 注销终端节点的功能。它定义了扩展点，允许您自定义 RP 发起的注销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcLogoutEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .logoutEndpoint(logoutEndpoint ->
                            logoutEndpoint
                                .logoutRequestConverter(logoutRequestConverter) (1)
                                .logoutRequestConverters(logoutRequestConvertersConsumer)   (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .logoutResponseHandler(logoutResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                        )
                )
		);

	return http.build();
}

1	`logoutRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取注销请求时使用`HttpServletRequest`添加到`OidcLogoutAuthenticationToken`.
2	`logoutRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OidcLogoutAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`logoutResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OidcLogoutAuthenticationToken`并执行注销。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回错误响应。

OidcLogoutEndpointConfigurer配置OidcLogoutEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcLogoutEndpointFilter是Filter处理 RP 发起的注销请求并执行最终用户的注销。spring-doc.cadn.net.cn

OidcLogoutEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OidcLogoutAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OidcLogoutAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 一个OidcLogoutAuthenticationSuccessHandler.spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OidcLogoutAuthenticationProvider使用SessionRegistry要查找SessionInformation实例。

OidcClientInitiatedLogoutSuccessHandler是 Spring Security 的 OAuth2 客户端支持中用于配置 OpenID Connect 1.0 RP 发起的注销的相应配置。

自定义注销请求验证

OidcLogoutAuthenticationValidator是用于验证特定 OpenID Connect RP 发起的注销请求参数的默认验证程序。默认实现会验证post_logout_redirect_uri参数。如果验证失败，则OAuth2AuthenticationException被抛出。spring-doc.cadn.net.cn

OidcLogoutAuthenticationProvider通过提供Consumer<OidcLogoutAuthenticationContext>自setAuthenticationValidator().spring-doc.cadn.net.cn

OidcLogoutAuthenticationContext持有OidcLogoutAuthenticationToken，其中包含 logout 请求参数。

如果验证失败，身份验证验证器必须抛出OAuth2AuthenticationException.

以下示例显示如何配置OidcLogoutAuthenticationProvider使用自定义身份验证验证器：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .logoutEndpoint(logoutEndpoint ->
                            logoutEndpoint
                                .authenticationProviders(configureAuthenticationValidator())
                        )
                )
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
			authenticationProviders.forEach((authenticationProvider) -> {
				if (authenticationProvider instanceof OidcLogoutAuthenticationProvider oidcLogoutAuthenticationProvider) {
					Consumer<OidcLogoutAuthenticationContext> authenticationValidator = new CustomPostLogoutRedirectUriValidator();
					oidcLogoutAuthenticationProvider.setAuthenticationValidator(authenticationValidator);
				}
			});
}

static class CustomPostLogoutRedirectUriValidator implements Consumer<OidcLogoutAuthenticationContext> {

	@Override
	public void accept(OidcLogoutAuthenticationContext authenticationContext) {
		OidcLogoutAuthenticationToken oidcLogoutAuthentication =
				authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();

		// TODO

	}
}

OpenID Connect 1.0 UserInfo 端点

OidcUserInfoEndpointConfigurer提供自定义 OpenID Connect 1.0 UserInfo 终端节点的功能。它定义了扩展点，允许您自定义 UserInfo 请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcUserInfoEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .userInfoEndpoint(userInfoEndpoint ->
                            userInfoEndpoint
                                .userInfoRequestConverter(userInfoRequestConverter) (1)
                                .userInfoRequestConverters(userInfoRequestConvertersConsumer)   (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .userInfoResponseHandler(userInfoResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                                .userInfoMapper(userInfoMapper) (7)
                        )
                )
		);

	return http.build();
}

1	`userInfoRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 UserInfo 请求时使用`HttpServletRequest`添加到`OidcUserInfoAuthenticationToken`.
2	`userInfoRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OidcUserInfoAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`userInfoResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OidcUserInfoAuthenticationToken`并返回 UserInfo 响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 UserInfo Error 响应。
7	`userInfoMapper()`：这`Function`用于从`OidcUserInfoAuthenticationContext`添加到`OidcUserInfo`.

OidcUserInfoEndpointConfigurer配置OidcUserInfoEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcUserInfoEndpointFilter是Filter处理 UserInfo 请求并返回 OidcUserInfo 响应。spring-doc.cadn.net.cn

OidcUserInfoEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个内部实现，用于获取Authentication从SecurityContext并创建一个OidcUserInfoAuthenticationToken与校长。spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OidcUserInfoAuthenticationProvider，它与userInfoMapper它根据授权期间请求的范围从 ID Tokens中提取标准声明。spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OidcUserInfoAuthenticationToken并返回OidcUserInfo响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext> @Bean.

OpenID Connect 1.0 UserInfo 终端节点是受 OAuth2 保护的资源，它要求在 UserInfo 请求中将访问Tokens作为持有者Tokens发送。spring-doc.cadn.net.cn

OAuth2 资源服务器支持是自动配置的，但是，一个JwtDecoder @Bean对于 OpenID Connect 1.0 UserInfo 终端节点是必需的。

指南作方法：自定义 OpenID Connect 1.0 UserInfo 响应包含自定义 UserInfo 端点的示例。

OpenID Connect 1.0 客户端注册终端节点

OidcClientRegistrationEndpointConfigurer提供自定义 OpenID Connect 1.0 客户端注册终端节点的功能。它定义了扩展点，允许您自定义客户端注册请求或客户端读取请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcClientRegistrationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .clientRegistrationEndpoint(clientRegistrationEndpoint ->
                            clientRegistrationEndpoint
                                .clientRegistrationRequestConverter(clientRegistrationRequestConverter) (1)
                                .clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers)  (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .clientRegistrationResponseHandler(clientRegistrationResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                        )
                )
		);

	return http.build();
}

1	`clientRegistrationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取客户端注册请求或客户端读取请求时使用`HttpServletRequest`添加到`OidcClientRegistrationAuthenticationToken`.
2	`clientRegistrationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OidcClientRegistrationAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`clientRegistrationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OidcClientRegistrationAuthenticationToken`并返回 Client Registration 响应或 Client Read 响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 Client Registration Error 响应或 Client Read Error 响应。

默认情况下，OpenID Connect 1.0 客户端注册终端节点处于禁用状态，因为许多部署不需要动态客户端注册。

OidcClientRegistrationEndpointConfigurer配置OidcClientRegistrationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcClientRegistrationEndpointFilter是Filter处理客户端注册请求并返回 OidcClientRegistration 响应。spring-doc.cadn.net.cn

OidcClientRegistrationEndpointFilter还会处理 Client Read 请求并返回 OidcClientRegistration 响应。

OidcClientRegistrationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OidcClientRegistrationAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OidcClientRegistrationAuthenticationProvider和OidcClientConfigurationAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OidcClientRegistrationAuthenticationToken并返回OidcClientRegistration响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OpenID Connect 1.0 客户端注册终端节点是受 OAuth2 保护的资源，它要求在客户端注册（或客户端读取）请求中将访问Tokens作为持有者Tokens发送。spring-doc.cadn.net.cn

OAuth2 资源服务器支持是自动配置的，但是，一个JwtDecoder @Bean对于 OpenID Connect 1.0 客户端注册终端节点是必需的。

客户端注册请求中的访问Tokens需要 OAuth2 范围client.create.

客户端读取请求中的访问Tokens需要 OAuth2 范围client.read.