Spring Security OAuth2 配置注意点

时间:2022-10-28 10:03:53


  1. security.oauth2.resource.jwt.key-uri/security.oauth2.resource.jwt.key-value和security.oauth2.resource.jwk.key-set-uri只能配置一个
    前面是配置一个key,后面是配置好多key
  2. security.oauth2.client 下面的client_id和client_secret配置多重意义,Authorization Server、ResourceServer和SSO配置都会用到;
  3. @EnableAuthorizationServer+security.oauth2.client.client-id+security.oauth2.client.client-secret,spring security自动注册一个client账户,值为security.oauth2.client.client-id和security.oauth2.client.client-secret的值
  4. 从OAuth2AutoConfiguration可以看出,security.oauth2.client.clientId和security.oauth2.client.clientSecret
    ResourceServerProperties中的security.oauth2.resource.clientId和security.oauth2.resource.clientSecret的值就是security.oauth2.client.clientId和security.oauth2.client.clientSecret的值;security.oauth2.resource.clientId和security.oauth2.resource.clientSecret的值我们不需要配置,只需要配置security.oauth2.client.clientId和security.oauth2.client.clientSecret的值就可以了;
  5. SSO配置的时候也是类似,sso会用到clientid,userinfourl,token_type,这三个配置,这三个配置都是从ResourceServerProperties来的,也就是从OAuth2ProtectedResourceDetails来的;
  6. user-info-url和token-info-url
security.oauth2.resource.user-info-uri:配置userinfo的url地址
security.oauth2.resource.token-info-uri:配置check-token的url地址;
security.oauth2.resource.prefer-token-info=true,如果上面两个都配置了,更倾向于用哪个
  1. security.oauth2.resource.filter-order :ResourceServer的Filter们的顺序
  2. security.oauth2.resource.token-type:请求资源时,在token-type的地方,写什么内容
  3. @EnableOAuth2Client将会创建OAuth2ClientContext 和OAuth2ProtectedResourceDetails,最终是要创建OAuth2RestOperations(OAuth2RestTemplate)
  4. OAuth2ProtectedResourceDetails会绑定security.oauth2.client.的配置信息,也就是说所有用到OAuth2ProtectedResourceDetails这个Bean的地方都得配置security.oauth2.client.,也就是说,所有需要OAuth2RestTemplate这个bean的地方都得配置security.oauth2.client.*;
    security.oauth2.client.*是用来创建OAuth2ProtectedResourceDetails的,OAuth2ProtectedResourceDetails是用来创建OAuth2RestOperations(OAuth2RestTemplate)的,feign也是用OAuth2ProtectedResourceDetails这个bean来获取client的信息的,Zuul和Resource Server中继的支持也是用的OAuth2RestTemplate这个Bean;
  5. client 怎么知道Authorization Server的信息?
security.oauth2.client.clientId
security.oauth2.client.clientSecret
security.oauth2.client.accessTokenUri
security.oauth2.client.userAuthorizationUri
security.oauth2.client.clientAuthenticationScheme:header、form
security.oauth2.client.scope:限制获取的token的权限
  1. ribbon中继,security.oauth2.resource.load-balanced,使用的是OAuth2RestOperations(OAuth2RestTemplate)
  2. feign中继:feign.RequestTemplate,使用的这个类,信息来自OAuth2ProtectedResourceDetails
  3. zuul:使用的是ioc容器中的OAuth2RestOperations bean
  4. 需要中继的都需要配置security.oauth2.client.*,ResourceServer,Feign,Zuul,Ribbon
  5. UserInfoRestTemplateCustomizer、UserInfoRestTemplateFactory、DefaultUserInfoRestTemplateFactory
  6. 配置Zuul的客户端负载均衡,下面这个配置好使;
proxy: 
  auth:
    load-balanced: true
  1. 如何配置OAuth2RestTemplate ?
    ResourceServer的用这个
@Bean
public OAuth2RestTemplate restTemplate(UserInfoRestTemplateFactory factory) {
    return factory.getUserInfoRestTemplate();
}

如果只是OauthClient或者OauthSSo标识的应用,用下面这个

@Bean
public OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext,
        OAuth2ProtectedResourceDetails details) {
    return new OAuth2RestTemplate(details, oauth2ClientContext);
}


标签:

相关文章