OAuth2 授权端点
OAuth2AuthorizationEndpointConfigurer提供自定义OAuth2 授权端点的功能。 它定义了扩展点,允许您自定义OAuth2 授权请求的预处理、主处理和后处理逻辑。
OAuth2AuthorizationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authorizationRequestConverter(authorizationRequestConverter)
.authorizationRequestConverters(authorizationRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.authorizationResponseHandler(authorizationResponseHandler)
.errorResponseHandler(errorResponseHandler)
.consentPage("/oauth2/v1/authorize")
);
return http.build();
}
authorizationRequestConverter():将尝试从实例 ofor 中提取OAuth2 授权请求(或同意)时使用的(预处理器)添加。AuthenticationConverterHttpServletRequestOAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken |
authorizationRequestConverters():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationConverterAuthenticationConverter |
authenticationProvider():添加用于验证理论的(主处理器)。AuthenticationProviderOAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken |
authenticationProviders():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationProviderAuthenticationProvider |
authorizationResponseHandler():(后处理器)用于处理“经过身份验证”并返回OAuth2AuthorizationResponse。AuthenticationSuccessHandlerOAuth2AuthorizationCodeRequestAuthenticationToken |
errorResponseHandler():用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandlerOAuth2AuthorizationCodeRequestAuthenticationException |
consentPage():自定义同意页面,用于将资源所有者重定向到授权请求流期间是否需要同意。URI |
OAuth2AuthorizationEndpointConfigurer配置并使用 OAuth2 授权 server.is 处理 OAuth2 授权请求(和同意)进行注册。OAuth2AuthorizationEndpointFilterSecurityFilterChain@BeanOAuth2AuthorizationEndpointFilterFilter
OAuth2AuthorizationEndpointFilter配置了以下默认值:
-
AuthenticationConverter——由和组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeRequestAuthenticationConverterOAuth2AuthorizationConsentAuthenticationConverter
-
AuthenticationManager——安安。AuthenticationManagerOAuth2AuthorizationCodeRequestAuthenticationProviderOAuth2AuthorizationConsentAuthenticationProvider
-
AuthenticationSuccessHandler— 处理“经过身份验证”并返回的内部实现。OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationResponse
-
AuthenticationFailureHandler— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthorizationCodeRequestAuthenticationExceptionOAuth2Error
自定义授权请求验证
OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权代码授予中使用的特定 OAuth2 授权请求参数的默认验证器。 默认实现验证 and参数。 如果验证失败,则引发 anis。redirect_uriscopeOAuth2AuthorizationCodeRequestAuthenticationException
OAuth2AuthorizationCodeRequestAuthenticationProvider提供通过提供 typeto 的自定义身份验证验证程序来覆盖默认授权请求验证的功能。Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>setAuthenticationValidator()
OAuth2AuthorizationCodeRequestAuthenticationContext保存,其中包含 OAuth2 授权请求参数。OAuth2AuthorizationCodeRequestAuthenticationToken |
如果验证失败,身份验证验证程序必须抛出。OAuth2AuthorizationCodeRequestAuthenticationException |
在开发生命周期阶段的一个常见用例是允许参数。localhostredirect_uri
以下示例演示如何使用允许参数的自定义身份验证验证程序进行配置:OAuth2AuthorizationCodeRequestAuthenticationProviderlocalhostredirect_uri
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authenticationProviders(configureAuthenticationValidator())
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
// Override default redirect_uri validator
new CustomRedirectUriValidator()
// Reuse default scope validator
.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);
((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
@Override
public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();
// Use exact string matching when comparing client redirect URIs against pre-registered URIs
if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
}
}
}
OAuth2 令牌端点
OAuth2TokenEndpointConfigurer提供自定义OAuth2 令牌终结点的功能。 它定义了扩展点,允许您自定义OAuth2 访问令牌请求的预处理、主处理和后处理逻辑。
OAuth2TokenEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenRequestConverter(accessTokenRequestConverter)
.accessTokenRequestConverters(accessTokenRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.accessTokenResponseHandler(accessTokenResponseHandler)
.errorResponseHandler(errorResponseHandler)
);
return http.build();
}
accessTokenRequestConverter():添加尝试从中提取OAuth2 访问令牌请求时使用的(预处理器)到实例。AuthenticationConverterHttpServletRequestOAuth2AuthorizationGrantAuthenticationToken |
accessTokenRequestConverters():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationConverterAuthenticationConverter |
authenticationProvider():添加用于身份验证的(主处理器)。AuthenticationProviderOAuth2AuthorizationGrantAuthenticationToken |
authenticationProviders():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationProviderAuthenticationProvider |
accessTokenResponseHandler():用于处理返回OAuth2AccessTokenResponse 的 anand 的(后处理器)。AuthenticationSuccessHandlerOAuth2AccessTokenAuthenticationToken |
errorResponseHandler():用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
OAuth2TokenEndpointConfigurer配置并使用 OAuth2 授权 server.is 处理 OAuth2 访问令牌请求进行注册。OAuth2TokenEndpointFilterSecurityFilterChain@BeanOAuth2TokenEndpointFilterFilter
支持的授权授权类型包括、和。authorization_coderefresh_tokenclient_credentials
OAuth2TokenEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 由、和组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeAuthenticationConverterOAuth2RefreshTokenAuthenticationConverterOAuth2ClientCredentialsAuthenticationConverter
-
AuthenticationManager— 由、、和组成。AuthenticationManagerOAuth2AuthorizationCodeAuthenticationProviderOAuth2RefreshTokenAuthenticationProviderOAuth2ClientCredentialsAuthenticationProvider
-
AuthenticationSuccessHandler— 处理 anand 返回的内部实现。OAuth2AccessTokenAuthenticationTokenOAuth2AccessTokenResponse
-
AuthenticationFailureHandler— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
OAuth2 令牌侦测端点
OAuth2TokenIntrospectionEndpointConfigurer提供自定义OAuth2 令牌侦测端点的功能。 它定义了扩展点,允许您自定义OAuth2 侦测请求的预处理、主处理和后处理逻辑。
OAuth2TokenIntrospectionEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
tokenIntrospectionEndpoint
.introspectionRequestConverter(introspectionRequestConverter)
.introspectionRequestConverters(introspectionRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.introspectionResponseHandler(introspectionResponseHandler)
.errorResponseHandler(errorResponseHandler)
);
return http.build();
}
introspectionRequestConverter():添加尝试从中提取OAuth2 侦测请求时使用的(预处理器)到实例。AuthenticationConverterHttpServletRequestOAuth2TokenIntrospectionAuthenticationToken |
introspectionRequestConverters():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationConverterAuthenticationConverter |
authenticationProvider():添加用于身份验证的(主处理器)。AuthenticationProviderOAuth2TokenIntrospectionAuthenticationToken |
authenticationProviders():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationProviderAuthenticationProvider |
introspectionResponseHandler():用于处理“经过身份验证”并返回OAuth2TokenIntrospection 响应的(后处理器)。AuthenticationSuccessHandlerOAuth2TokenIntrospectionAuthenticationToken |
errorResponseHandler():用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
OAuth2TokenIntrospectionEndpointConfigurer配置并使用 OAuth2 授权 server.is 处理 OAuth2 自检请求。OAuth2TokenIntrospectionEndpointFilterSecurityFilterChain@BeanOAuth2TokenIntrospectionEndpointFilterFilter
OAuth2TokenIntrospectionEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 安.OAuth2TokenIntrospectionAuthenticationConverter
-
AuthenticationManager——由。AuthenticationManagerOAuth2TokenIntrospectionAuthenticationProvider
-
AuthenticationSuccessHandler— 处理“经过身份验证”并返回响应的内部实现。OAuth2TokenIntrospectionAuthenticationTokenOAuth2TokenIntrospection
-
AuthenticationFailureHandler— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
OAuth2 令牌吊销端点
OAuth2TokenRevocationEndpointConfigurer提供自定义OAuth2 令牌吊销终结点的功能。 它定义了扩展点,允许您自定义OAuth2 吊销请求的预处理、主处理和后处理逻辑。
OAuth2TokenRevocationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.tokenRevocationEndpoint(tokenRevocationEndpoint ->
tokenRevocationEndpoint
.revocationRequestConverter(revocationRequestConverter)
.revocationRequestConverters(revocationRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.revocationResponseHandler(revocationResponseHandler)
.errorResponseHandler(errorResponseHandler)
);
return http.build();
}
|
revocationRequestConverter():将尝试从中提取OAuth2 吊销请求时使用的(预处理器)添加到 的实例。AuthenticationConverterHttpServletRequestOAuth2TokenRevocationAuthenticationToken |
|
revocationRequestConverters():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationConverterAuthenticationConverter |
|
authenticationProvider():添加用于身份验证的(主处理器)。AuthenticationProviderOAuth2TokenRevocationAuthenticationToken |
|
authenticationProviders():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationProviderAuthenticationProvider |
|
revocationResponseHandler():用于处理“经过身份验证”并返回OAuth2 吊销响应的(后处理器)。AuthenticationSuccessHandlerOAuth2TokenRevocationAuthenticationToken |
|
errorResponseHandler():用于处理返回OAuth2Error 响应的 anand 的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
OAuth2TokenRevocationEndpointConfigurer配置并使用 OAuth2 授权 server.is 处理 OAuth2 吊销请求进行注册。OAuth2TokenRevocationEndpointFilterSecurityFilterChain@BeanOAuth2TokenRevocationEndpointFilterFilter
OAuth2TokenRevocationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 安.OAuth2TokenRevocationAuthenticationConverter
-
AuthenticationManager——由。AuthenticationManagerOAuth2TokenRevocationAuthenticationProvider
-
AuthenticationSuccessHandler— 处理“经过身份验证”并返回 OAuth2 吊销响应的内部实现。OAuth2TokenRevocationAuthenticationToken
-
AuthenticationFailureHandler— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
OAuth2 授权服务器元数据端点
OAuth2AuthorizationServerMetadataEndpointConfigurer提供自定义OAuth2 授权服务器元数据终结点的功能。 它定义了一个扩展点,允许您自定义OAuth2 授权服务器元数据响应。
OAuth2AuthorizationServerMetadataEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
authorizationServerMetadataEndpoint
.authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer));
return http.build();
}
authorizationServerMetadataCustomizer():提供对允许自定义授权服务器配置声明的访问。ConsumerOAuth2AuthorizationServerMetadata.Builder |
OAuth2AuthorizationServerMetadataEndpointConfigurer配置并使用返回OAuth2AuthorizationServerMetadata 响应的 OAuth2 授权 server.is 注册它。OAuth2AuthorizationServerMetadataEndpointFilterSecurityFilterChain@BeanOAuth2AuthorizationServerMetadataEndpointFilterFilter
JWK 设置终结点
OAuth2AuthorizationServerConfigurer提供对JWK 集终结点的支持。
OAuth2AuthorizationServerConfigurer配置并使用返回JWK 集的 OAuth2 授权 server.is 注册它。NimbusJwkSetEndpointFilterSecurityFilterChain@BeanNimbusJwkSetEndpointFilterFilter
仅当 ais 已注册时,才会配置 JWK Set 终结点。JWKSource<SecurityContext>@Bean |
OpenID Connect 1.0 提供程序配置终结点
OidcProviderConfigurationEndpointConfigurer提供自定义OpenID Connect 1.0 提供程序配置终结点的功能。 它定义了一个扩展点,可用于自定义OpenID 提供程序配置响应。
OidcProviderConfigurationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.oidc(oidc ->
oidc
.providerConfigurationEndpoint(providerConfigurationEndpoint ->
providerConfigurationEndpoint
.providerConfigurationCustomizer(providerConfigurationCustomizer)
)
);
return http.build();
}
providerConfigurationCustomizer():提供对允许自定义 OpenID 提供程序配置的声明的访问。ConsumerOidcProviderConfiguration.Builder |
OidcProviderConfigurationEndpointConfigurer配置并使用返回OidcProviderConfiguration 响应的 OAuth2 授权 server.is 注册它。OidcProviderConfigurationEndpointFilterSecurityFilterChain@BeanOidcProviderConfigurationEndpointFilterFilter
OpenID Connect 1.0 UserInfo Endpoint
OidcUserInfoEndpointConfigurer提供自定义OpenID Connect 1.0 UserInfo 端点的功能。 它定义了扩展点,使您可以自定义UserInfo 请求的预处理、主处理和后处理逻辑。
OidcUserInfoEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.oidc(oidc ->
oidc
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userInfoRequestConverter(userInfoRequestConverter)
.userInfoRequestConverters(userInfoRequestConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.userInfoResponseHandler(userInfoResponseHandler)
.errorResponseHandler(errorResponseHandler)
.userInfoMapper(userInfoMapper)
)
);
return http.build();
}
userInfoRequestConverter():添加尝试从中提取用户信息请求时使用的(预处理器)到实例。AuthenticationConverterHttpServletRequestOidcUserInfoAuthenticationToken |
userInfoRequestConverters():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationConverterAuthenticationConverter |
authenticationProvider():添加用于身份验证的(主处理器)。AuthenticationProviderOidcUserInfoAuthenticationToken |
authenticationProviders():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationProviderAuthenticationProvider |
userInfoResponseHandler():用于处理“经过身份验证”并返回用户信息响应的(后处理器)。AuthenticationSuccessHandlerOidcUserInfoAuthenticationToken |
errorResponseHandler():用于处理返回用户信息错误响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
userInfoMapper():用于从实例中提取声明。FunctionOidcUserInfoAuthenticationContextOidcUserInfo |
OidcUserInfoEndpointConfigurer配置并使用 OAuth2 授权 server.is 处理用户信息请求并返回OidcUserInfo 响应。OidcUserInfoEndpointFilterSecurityFilterChain@BeanOidcUserInfoEndpointFilterFilter
OidcUserInfoEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 从 the获取 和 创建 anwith 主体的内部实现。AuthenticationSecurityContextOidcUserInfoAuthenticationToken
-
AuthenticationManager— 由 组成,它与内部实现相关联,根据授权期间请求的范围从ID 令牌中提取标准声明。AuthenticationManagerOidcUserInfoAuthenticationProvideruserInfoMapper
-
AuthenticationSuccessHandler— 处理“经过身份验证”并返回响应的内部实现。OidcUserInfoAuthenticationTokenOidcUserInfo
-
AuthenticationFailureHandler— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
|
您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext> 来自定义 ID 令牌。@Bean
|
The OpenID Connect 1.0 UserInfo endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the UserInfo request. The following example shows how to enable the OAuth2 resource server configuration:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
...
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
AisforOpenID Connect 1.0 UserInfo 端点。JwtDecoder@Bean |
|
指南操作方法:自定义 OpenID Connect 1.0UserInfo 响应包含自定义 UserInfo 终结点的示例。
|
OpenID Connect 1.0 客户端注册终结点
OidcClientRegistrationEndpointConfigurer提供自定义OpenID Connect 1.0 客户端注册终结点的功能。 它定义了扩展点,允许您自定义客户端注册请求或客户端读取请求的预处理、主处理和后处理逻辑。
OidcClientRegistrationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.oidc(oidc ->
oidc
.clientRegistrationEndpoint(clientRegistrationEndpoint ->
clientRegistrationEndpoint
.clientRegistrationRequestConverter(clientRegistrationRequestConverter)
.clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.clientRegistrationResponseHandler(clientRegistrationResponseHandler)
.errorResponseHandler(errorResponseHandler)
)
);
return http.build();
}
clientRegistrationRequestConverter():添加尝试从中提取客户端注册请求或客户端读取请求时使用的(预处理器)。AuthenticationConverterHttpServletRequestOidcClientRegistrationAuthenticationToken |
clientRegistrationRequestConverters():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationConverterAuthenticationConverter |
authenticationProvider():添加用于身份验证的(主处理器)。AuthenticationProviderOidcClientRegistrationAuthenticationToken |
authenticationProviders():设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。ConsumerListAuthenticationProviderAuthenticationProvider |
clientRegistrationResponseHandler():(后处理器)用于处理“已验证”并返回客户端注册响应或客户端读取响应。AuthenticationSuccessHandlerOidcClientRegistrationAuthenticationToken |
errorResponseHandler():用于处理返回客户端注册错误响应或客户端读取错误响应的 anand 的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
默认情况下,OpenID Connect 1.0 客户端注册终结点处于禁用状态,因为许多部署不需要动态客户端注册。 |
OidcClientRegistrationEndpointConfigurer配置并使用 OAuth2 授权 server.is 处理客户端注册请求并返回OidcClientRegistration 响应。OidcClientRegistrationEndpointFilterSecurityFilterChain@BeanOidcClientRegistrationEndpointFilterFilter
OidcClientRegistrationEndpointFilter还处理客户端读取请求并返回OidcClientRegistration 响应。 |
OidcClientRegistrationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 安.OidcClientRegistrationAuthenticationConverter
-
AuthenticationManager——安安。AuthenticationManagerOidcClientRegistrationAuthenticationProviderOidcClientConfigurationAuthenticationProvider
-
AuthenticationSuccessHandler— 处理“经过身份验证”并返回响应的内部实现。OidcClientRegistrationAuthenticationTokenOidcClientRegistration
-
AuthenticationFailureHandler— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
OpenID Connect 1.0 客户端注册终结点是受 OAuth2 保护的资源,它要求在客户端注册(或客户端读取)请求中将访问令牌作为持有者令牌发送。
客户端注册请求中的访问令牌需要OAuth2 范围。client.create |
客户端读取请求中的访问令牌需要OAuth2 作用域。client.read |
以下示例演示如何启用 OAuth2 资源服务器配置:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
...
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
AI是OpenIDConnect 1.0客户端注册端点所必需的。JwtDecoder@Bean |
