时间戳

首页 > 解决方案 > 覆盖 /oauth/token 端点的基本身份验证

spring-security - 覆盖 /oauth/token 端点的基本身份验证

问题描述

我在覆盖/oauth/tokenTokenEndpoint 类中找到的基本身份验证时遇到了一些麻烦。我基本上想添加凭据(client_idclient_secret)的自定义验证。

这是授权服务器的配置。

@Configuration
@EnableOAuth2Client
@EnableAuthorizationServer
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private ClientDetailsService serviceProviderClientDetailsService;

    @Autowired
    private TokenEnhancer tokenEnhancer;

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private AuthorizationCodeServices authorizationCodeServices;

    @Autowired
    private OidcWebResponseExceptionTranslator oidcWebResponseExceptionTranslator;

    @Autowired
    private OidcMnoOAuth2RequestValidator oidcOAuth2RequestValidator;

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(serviceProviderClientDetailsService);
    }

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.tokenEnhancer(tokenEnhancer);
        endpoints.exceptionTranslator(oidcWebResponseExceptionTranslator);
        endpoints.authorizationCodeServices(authorizationCodeServices);
        endpoints.tokenStore(tokenStore);
        endpoints.setClientDetailsService(serviceProviderClientDetailsService);
        endpoints.tokenGranter(oidcAuthorizationCodeTokenGranter());
        endpoints.requestValidator(oidcOAuth2RequestValidator);

    }
    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer) {
        oauthServer.allowFormAuthenticationForClients();
    }

    @Bean
    public OidcAuthorizationCodeTokenGranter oidcAuthorizationCodeTokenGranter() {
        return new OidcAuthorizationCodeTokenGranter();
    }

}

提前致谢 !

标签: spring-securityspring-security-oauth2

解决方案

要向客户端或用户凭据添加自定义验证,您可以扩充DaoAuthenticationProvider并分配适当的用户详细信息服务。覆盖其additionalAuthenticationChecks(...)方法以添加自定义行为。

public class AugmentedDaoAuthenticationProvider extends DaoAuthenticationProvider {

@Override
protected void additionalAuthenticationChecks(final UserDetails userDetails, final UsernamePasswordAuthenticationToken authentication) {
    final User user = userDao.findByUsername(userDetails.getUsername())
                             .orElseThrow(() -> new BadCredentialsException("Incorrect username or password."));

    // custom authentication logic

    // Perform the actual authentication.
    super.additionalAuthenticationChecks(userDetails, authentication);

初始化 bean 并分配适当的用户详细信息服务:如果对用户凭据进行额外的身份验证检查,则分配UserDetailsS​​ervice,对于客户端凭据,分配ClientDetailsUserDetailsS​​ervice

<bean id="clientAuthenticationProvider" class="com.test.AugmentedDaoAuthenticationProvider">
    <property name="userDetailsService" ref="clientDetailsUserDetailsService"/>

在评论部分解决问题:

ClientDetailsUserDetailsS​​ervice实现了UserDetailsS​​ervice并且它有一个将ClientDetailsS ​​ervice作为参数的构造函数。Bean 初始化是这样的:

<bean id="clientDetailsUserDetailsService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg name="clientDetailsService" ref="serviceProviderClientDetailsService"/>
</bean>

然后,您可以将其引用clientDetailsUserDetailsService到您的自定义DaoAuthenticationProvider.

推荐阅读