OAuth2 授权端点
OAuth2AuthorizationEndpointConfigurer
提供自定义OAuth2 授权端点的功能。 它定义了扩展点,允许您自定义OAuth2 授权请求的预处理、主处理和后处理逻辑。
OAuth2AuthorizationEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authorizationRequestConverter(authorizationRequestConverter)
.authorizationRequestConverters(authorizationRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.authorizationResponseHandler(authorizationResponseHandler)
.errorResponseHandler(errorResponseHandler)
.consentPage("/oauth2/v1/authorize")
);
return http.build();
}
authorizationRequestConverter() :将尝试从实例 ofor 中提取OAuth2 授权请求(或同意)时使用的(预处理器)添加。AuthenticationConverter HttpServletRequest OAuth2AuthorizationCodeRequestAuthenticationToken OAuth2AuthorizationConsentAuthenticationToken |
authorizationRequestConverters() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationConverter AuthenticationConverter |
authenticationProvider() :添加用于验证理论的(主处理器)。AuthenticationProvider OAuth2AuthorizationCodeRequestAuthenticationToken OAuth2AuthorizationConsentAuthenticationToken |
authenticationProviders() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationProvider AuthenticationProvider |
authorizationResponseHandler() :(后处理器)用于处理“经过身份验证”并返回OAuth2AuthorizationResponse。AuthenticationSuccessHandler OAuth2AuthorizationCodeRequestAuthenticationToken |
errorResponseHandler() :用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandler OAuth2AuthorizationCodeRequestAuthenticationException |
consentPage() :自定义同意页面,用于将资源所有者重定向到授权请求流期间是否需要同意。URI |
OAuth2AuthorizationEndpointConfigurer
配置并使用 OAuth2 授权 server.is 处理 OAuth2 授权请求(和同意)进行注册。OAuth2AuthorizationEndpointFilter
SecurityFilterChain
@Bean
OAuth2AuthorizationEndpointFilter
Filter
OAuth2AuthorizationEndpointFilter
配置了以下默认值:
-
AuthenticationConverter
——由和组成。DelegatingAuthenticationConverter
OAuth2AuthorizationCodeRequestAuthenticationConverter
OAuth2AuthorizationConsentAuthenticationConverter
-
AuthenticationManager
——安安。AuthenticationManager
OAuth2AuthorizationCodeRequestAuthenticationProvider
OAuth2AuthorizationConsentAuthenticationProvider
-
AuthenticationSuccessHandler
— 处理“经过身份验证”并返回的内部实现。OAuth2AuthorizationCodeRequestAuthenticationToken
OAuth2AuthorizationResponse
-
AuthenticationFailureHandler
— 使用与 the和 关联的内部实现 返回响应。OAuth2Error
OAuth2AuthorizationCodeRequestAuthenticationException
OAuth2Error
自定义授权请求验证
OAuth2AuthorizationCodeRequestAuthenticationValidator
是用于验证授权代码授予中使用的特定 OAuth2 授权请求参数的默认验证器。 默认实现验证 and参数。 如果验证失败,则引发 anis。redirect_uri
scope
OAuth2AuthorizationCodeRequestAuthenticationException
OAuth2AuthorizationCodeRequestAuthenticationProvider
提供通过提供 typeto 的自定义身份验证验证程序来覆盖默认授权请求验证的功能。Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>
setAuthenticationValidator()
OAuth2AuthorizationCodeRequestAuthenticationContext 保存,其中包含 OAuth2 授权请求参数。OAuth2AuthorizationCodeRequestAuthenticationToken |
如果验证失败,身份验证验证程序必须抛出。OAuth2AuthorizationCodeRequestAuthenticationException |
在开发生命周期阶段的一个常见用例是允许参数。localhost
redirect_uri
以下示例演示如何使用允许参数的自定义身份验证验证程序进行配置:OAuth2AuthorizationCodeRequestAuthenticationProvider
localhost
redirect_uri
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authenticationProviders(configureAuthenticationValidator())
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
// Override default redirect_uri validator
new CustomRedirectUriValidator()
// Reuse default scope validator
.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);
((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
@Override
public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();
// Use exact string matching when comparing client redirect URIs against pre-registered URIs
if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
}
}
}
OAuth2 令牌端点
OAuth2TokenEndpointConfigurer
提供自定义OAuth2 令牌终结点的功能。 它定义了扩展点,允许您自定义OAuth2 访问令牌请求的预处理、主处理和后处理逻辑。
OAuth2TokenEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenRequestConverter(accessTokenRequestConverter)
.accessTokenRequestConverters(accessTokenRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.accessTokenResponseHandler(accessTokenResponseHandler)
.errorResponseHandler(errorResponseHandler)
);
return http.build();
}
accessTokenRequestConverter() :添加尝试从中提取OAuth2 访问令牌请求时使用的(预处理器)到实例。AuthenticationConverter HttpServletRequest OAuth2AuthorizationGrantAuthenticationToken |
accessTokenRequestConverters() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationConverter AuthenticationConverter |
authenticationProvider() :添加用于身份验证的(主处理器)。AuthenticationProvider OAuth2AuthorizationGrantAuthenticationToken |
authenticationProviders() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationProvider AuthenticationProvider |
accessTokenResponseHandler() :用于处理返回OAuth2AccessTokenResponse 的 anand 的(后处理器)。AuthenticationSuccessHandler OAuth2AccessTokenAuthenticationToken |
errorResponseHandler() :用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandler OAuth2AuthenticationException |
OAuth2TokenEndpointConfigurer
配置并使用 OAuth2 授权 server.is 处理 OAuth2 访问令牌请求进行注册。OAuth2TokenEndpointFilter
SecurityFilterChain
@Bean
OAuth2TokenEndpointFilter
Filter
支持的授权授权类型包括、和。authorization_code
refresh_token
client_credentials
OAuth2TokenEndpointFilter
配置了以下默认值:
-
AuthenticationConverter
— 由、和组成。DelegatingAuthenticationConverter
OAuth2AuthorizationCodeAuthenticationConverter
OAuth2RefreshTokenAuthenticationConverter
OAuth2ClientCredentialsAuthenticationConverter
-
AuthenticationManager
— 由、、和组成。AuthenticationManager
OAuth2AuthorizationCodeAuthenticationProvider
OAuth2RefreshTokenAuthenticationProvider
OAuth2ClientCredentialsAuthenticationProvider
-
AuthenticationSuccessHandler
— 处理 anand 返回的内部实现。OAuth2AccessTokenAuthenticationToken
OAuth2AccessTokenResponse
-
AuthenticationFailureHandler
— 使用与 the和 关联的内部实现 返回响应。OAuth2Error
OAuth2AuthenticationException
OAuth2Error
OAuth2 令牌侦测端点
OAuth2TokenIntrospectionEndpointConfigurer
提供自定义OAuth2 令牌侦测端点的功能。 它定义了扩展点,允许您自定义OAuth2 侦测请求的预处理、主处理和后处理逻辑。
OAuth2TokenIntrospectionEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
tokenIntrospectionEndpoint
.introspectionRequestConverter(introspectionRequestConverter)
.introspectionRequestConverters(introspectionRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.introspectionResponseHandler(introspectionResponseHandler)
.errorResponseHandler(errorResponseHandler)
);
return http.build();
}
introspectionRequestConverter() :添加尝试从中提取OAuth2 侦测请求时使用的(预处理器)到实例。AuthenticationConverter HttpServletRequest OAuth2TokenIntrospectionAuthenticationToken |
introspectionRequestConverters() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationConverter AuthenticationConverter |
authenticationProvider() :添加用于身份验证的(主处理器)。AuthenticationProvider OAuth2TokenIntrospectionAuthenticationToken |
authenticationProviders() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationProvider AuthenticationProvider |
introspectionResponseHandler() :用于处理“经过身份验证”并返回OAuth2TokenIntrospection 响应的(后处理器)。AuthenticationSuccessHandler OAuth2TokenIntrospectionAuthenticationToken |
errorResponseHandler() :用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandler OAuth2AuthenticationException |
OAuth2TokenIntrospectionEndpointConfigurer
配置并使用 OAuth2 授权 server.is 处理 OAuth2 自检请求。OAuth2TokenIntrospectionEndpointFilter
SecurityFilterChain
@Bean
OAuth2TokenIntrospectionEndpointFilter
Filter
OAuth2TokenIntrospectionEndpointFilter
配置了以下默认值:
-
AuthenticationConverter
— 安.OAuth2TokenIntrospectionAuthenticationConverter
-
AuthenticationManager
——由。AuthenticationManager
OAuth2TokenIntrospectionAuthenticationProvider
-
AuthenticationSuccessHandler
— 处理“经过身份验证”并返回响应的内部实现。OAuth2TokenIntrospectionAuthenticationToken
OAuth2TokenIntrospection
-
AuthenticationFailureHandler
— 使用与 the和 关联的内部实现 返回响应。OAuth2Error
OAuth2AuthenticationException
OAuth2Error
OAuth2 令牌吊销端点
OAuth2TokenRevocationEndpointConfigurer
提供自定义OAuth2 令牌吊销终结点的功能。 它定义了扩展点,允许您自定义OAuth2 吊销请求的预处理、主处理和后处理逻辑。
OAuth2TokenRevocationEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.tokenRevocationEndpoint(tokenRevocationEndpoint ->
tokenRevocationEndpoint
.revocationRequestConverter(revocationRequestConverter)
.revocationRequestConverters(revocationRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.revocationResponseHandler(revocationResponseHandler)
.errorResponseHandler(errorResponseHandler)
);
return http.build();
}
|
revocationRequestConverter() :将尝试从中提取OAuth2 吊销请求时使用的(预处理器)添加到 的实例。AuthenticationConverter HttpServletRequest OAuth2TokenRevocationAuthenticationToken |
|
revocationRequestConverters() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationConverter AuthenticationConverter |
|
authenticationProvider() :添加用于身份验证的(主处理器)。AuthenticationProvider OAuth2TokenRevocationAuthenticationToken |
|
authenticationProviders() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationProvider AuthenticationProvider |
|
revocationResponseHandler() :用于处理“经过身份验证”并返回OAuth2 吊销响应的(后处理器)。AuthenticationSuccessHandler OAuth2TokenRevocationAuthenticationToken |
|
errorResponseHandler() :用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandler OAuth2AuthenticationException |
OAuth2TokenRevocationEndpointConfigurer
配置并使用 OAuth2 授权 server.is 处理 OAuth2 吊销请求进行注册。OAuth2TokenRevocationEndpointFilter
SecurityFilterChain
@Bean
OAuth2TokenRevocationEndpointFilter
Filter
OAuth2TokenRevocationEndpointFilter
配置了以下默认值:
-
AuthenticationConverter
— 安.OAuth2TokenRevocationAuthenticationConverter
-
AuthenticationManager
——由。AuthenticationManager
OAuth2TokenRevocationAuthenticationProvider
-
AuthenticationSuccessHandler
— 处理“经过身份验证”并返回 OAuth2 吊销响应的内部实现。OAuth2TokenRevocationAuthenticationToken
-
AuthenticationFailureHandler
— 使用与 the和 关联的内部实现 返回响应。OAuth2Error
OAuth2AuthenticationException
OAuth2Error
OAuth2 授权服务器元数据端点
OAuth2AuthorizationServerMetadataEndpointConfigurer
提供自定义OAuth2 授权服务器元数据终结点的功能。 它定义了一个扩展点,允许您自定义OAuth2 授权服务器元数据响应。
OAuth2AuthorizationServerMetadataEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
authorizationServerMetadataEndpoint
.authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer));
return http.build();
}
authorizationServerMetadataCustomizer() :提供对允许自定义授权服务器配置声明的访问。Consumer OAuth2AuthorizationServerMetadata.Builder |
OAuth2AuthorizationServerMetadataEndpointConfigurer
配置并使用返回OAuth2AuthorizationServerMetadata 响应的 OAuth2 授权 server.is 注册它。OAuth2AuthorizationServerMetadataEndpointFilter
SecurityFilterChain
@Bean
OAuth2AuthorizationServerMetadataEndpointFilter
Filter
JWK 设置终结点
OAuth2AuthorizationServerConfigurer
提供对JWK 集终结点的支持。
OAuth2AuthorizationServerConfigurer配置并使用返回JWK 集的 OAuth2 授权 server.is 注册它。NimbusJwkSetEndpointFilter
SecurityFilterChain
@Bean
NimbusJwkSetEndpointFilter
Filter
仅当 ais 已注册时,才会配置 JWK Set 终结点。JWKSource<SecurityContext> @Bean |
OpenID Connect 1.0 提供程序配置终结点
OidcProviderConfigurationEndpointConfigurer
提供自定义OpenID Connect 1.0 提供程序配置终结点的功能。 它定义了一个扩展点,可用于自定义OpenID 提供程序配置响应。
OidcProviderConfigurationEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.oidc(oidc ->
oidc
.providerConfigurationEndpoint(providerConfigurationEndpoint ->
providerConfigurationEndpoint
.providerConfigurationCustomizer(providerConfigurationCustomizer)
)
);
return http.build();
}
providerConfigurationCustomizer() :提供对允许自定义 OpenID 提供程序配置的声明的访问。Consumer OidcProviderConfiguration.Builder |
OidcProviderConfigurationEndpointConfigurer
配置并使用返回OidcProviderConfiguration 响应的 OAuth2 授权 server.is 注册它。OidcProviderConfigurationEndpointFilter
SecurityFilterChain
@Bean
OidcProviderConfigurationEndpointFilter
Filter
OpenID Connect 1.0 UserInfo Endpoint
OidcUserInfoEndpointConfigurer
提供自定义OpenID Connect 1.0 UserInfo 端点的功能。 它定义了扩展点,使您可以自定义UserInfo 请求的预处理、主处理和后处理逻辑。
OidcUserInfoEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.oidc(oidc ->
oidc
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userInfoRequestConverter(userInfoRequestConverter)
.userInfoRequestConverters(userInfoRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.userInfoResponseHandler(userInfoResponseHandler)
.errorResponseHandler(errorResponseHandler)
.userInfoMapper(userInfoMapper)
)
);
return http.build();
}
userInfoRequestConverter() :添加尝试从中提取用户信息请求时使用的(预处理器)到实例。AuthenticationConverter HttpServletRequest OidcUserInfoAuthenticationToken |
userInfoRequestConverters() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationConverter AuthenticationConverter |
authenticationProvider() :添加用于身份验证的(主处理器)。AuthenticationProvider OidcUserInfoAuthenticationToken |
authenticationProviders() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationProvider AuthenticationProvider |
userInfoResponseHandler() :用于处理“经过身份验证”并返回用户信息响应的(后处理器)。AuthenticationSuccessHandler OidcUserInfoAuthenticationToken |
errorResponseHandler() :用于处理返回用户信息错误响应的(后处理器)。AuthenticationFailureHandler OAuth2AuthenticationException |
userInfoMapper() :用于从实例中提取声明。Function OidcUserInfoAuthenticationContext OidcUserInfo |
OidcUserInfoEndpointConfigurer
配置并使用 OAuth2 授权 server.is 处理用户信息请求并返回OidcUserInfo 响应。OidcUserInfoEndpointFilter
SecurityFilterChain
@Bean
OidcUserInfoEndpointFilter
Filter
OidcUserInfoEndpointFilter
配置了以下默认值:
-
AuthenticationConverter
— 从 the获取 和 创建 anwith 主体的内部实现。Authentication
SecurityContext
OidcUserInfoAuthenticationToken
-
AuthenticationManager
— 由 组成,它与内部实现相关联,根据授权期间请求的范围从ID 令牌中提取标准声明。AuthenticationManager
OidcUserInfoAuthenticationProvider
userInfoMapper
-
AuthenticationSuccessHandler
— 处理“经过身份验证”并返回响应的内部实现。OidcUserInfoAuthenticationToken
OidcUserInfo
-
AuthenticationFailureHandler
— 使用与 the和 关联的内部实现 返回响应。OAuth2Error
OAuth2AuthenticationException
OAuth2Error
您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext> 来自定义 ID 令牌。@Bean
|
The OpenID Connect 1.0 UserInfo endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the UserInfo request. The following example shows how to enable the OAuth2 resource server configuration:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
...
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
AisforOpenID Connect 1.0 UserInfo 端点。JwtDecoder @Bean |
指南操作方法:自定义 OpenID Connect 1.0UserInfo 响应包含自定义 UserInfo 终结点的示例。
|
OpenID Connect 1.0 客户端注册终结点
OidcClientRegistrationEndpointConfigurer
提供自定义OpenID Connect 1.0 客户端注册终结点的功能。 它定义了扩展点,允许您自定义客户端注册请求或客户端读取请求的预处理、主处理和后处理逻辑。
OidcClientRegistrationEndpointConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.oidc(oidc ->
oidc
.clientRegistrationEndpoint(clientRegistrationEndpoint ->
clientRegistrationEndpoint
.clientRegistrationRequestConverter(clientRegistrationRequestConverter)
.clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.clientRegistrationResponseHandler(clientRegistrationResponseHandler)
.errorResponseHandler(errorResponseHandler)
)
);
return http.build();
}
clientRegistrationRequestConverter() :添加尝试从中提取客户端注册请求或客户端读取请求时使用的(预处理器)。AuthenticationConverter HttpServletRequest OidcClientRegistrationAuthenticationToken |
clientRegistrationRequestConverters() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationConverter AuthenticationConverter |
authenticationProvider() :添加用于身份验证的(主处理器)。AuthenticationProvider OidcClientRegistrationAuthenticationToken |
authenticationProviders() :设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。Consumer List AuthenticationProvider AuthenticationProvider |
clientRegistrationResponseHandler() :(后处理器)用于处理“已验证”并返回客户端注册响应或客户端读取响应。AuthenticationSuccessHandler OidcClientRegistrationAuthenticationToken |
errorResponseHandler() :用于处理返回客户端注册错误响应或客户端读取错误响应的 anand 的(后处理器)。AuthenticationFailureHandler OAuth2AuthenticationException |
默认情况下,OpenID Connect 1.0 客户端注册终结点处于禁用状态,因为许多部署不需要动态客户端注册。 |
OidcClientRegistrationEndpointConfigurer
配置并使用 OAuth2 授权 server.is 处理客户端注册请求并返回OidcClientRegistration 响应。OidcClientRegistrationEndpointFilter
SecurityFilterChain
@Bean
OidcClientRegistrationEndpointFilter
Filter
OidcClientRegistrationEndpointFilter 还处理客户端读取请求并返回OidcClientRegistration 响应。 |
OidcClientRegistrationEndpointFilter
配置了以下默认值:
-
AuthenticationConverter
— 安.OidcClientRegistrationAuthenticationConverter
-
AuthenticationManager
——安安。AuthenticationManager
OidcClientRegistrationAuthenticationProvider
OidcClientConfigurationAuthenticationProvider
-
AuthenticationSuccessHandler
— 处理“经过身份验证”并返回响应的内部实现。OidcClientRegistrationAuthenticationToken
OidcClientRegistration
-
AuthenticationFailureHandler
— 使用与 the和 关联的内部实现 返回响应。OAuth2Error
OAuth2AuthenticationException
OAuth2Error
OpenID Connect 1.0 客户端注册终结点是受 OAuth2 保护的资源,它要求在客户端注册(或客户端读取)请求中将访问令牌作为持有者令牌发送。
客户端注册请求中的访问令牌需要OAuth2 范围。client.create |
客户端读取请求中的访问令牌需要OAuth2 作用域。client.read |
以下示例演示如何启用 OAuth2 资源服务器配置:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
...
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
AI是OpenIDConnect 1.0客户端注册端点所必需的。JwtDecoder @Bean |