如何使用Java配置在Google OAuth2 AccountChooser中设置托管域参数?
目前,我正在使用以下Java配置工作OAuth2身份验证流:如何使用Java配置在Google OAuth2 AccountChooser中设置托管域参数?,java,spring-security-oauth2,google-oauth,Java,Spring Security Oauth2,Google Oauth,目前,我正在使用以下Java配置工作OAuth2身份验证流: @Configuration @EnableOAuth2Client @Import(SecurityWebAppInitializer.class) public class OAuth2SecurityConfiguration { @Resource private GoogleClientSecrets googleClientSecrets; @Resource private Acces
@Configuration
@EnableOAuth2Client
@Import(SecurityWebAppInitializer.class)
public class OAuth2SecurityConfiguration {
@Resource
private GoogleClientSecrets googleClientSecrets;
@Resource
private AccessTokenRequest accessTokenRequest;
@Bean
public AuthorizationCodeResourceDetails googleResource() {
AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
GoogleClientSecrets.Details web = googleClientSecrets.getWeb();
details.setId((String) web.get("project_id"));
details.setClientId(web.getClientId());
details.setClientSecret(web.getClientSecret());
details.setAccessTokenUri(web.getTokenUri());
details.setUserAuthorizationUri(web.getAuthUri());
details.setTokenName((String) web.get("token_name"));
String commaSeparatedScopes = (String) web.get("scope");
details.setScope(parseScopes(commaSeparatedScopes));
details.setPreEstablishedRedirectUri(web.getRedirectUris().get(0));
details.setUseCurrentUri(false);
details.setAuthenticationScheme(AuthenticationScheme.query);
details.setClientAuthenticationScheme(AuthenticationScheme.form);
return details;
}
private List<String> parseScopes(String commaSeparatedScopes) {
List<String> scopes = newArrayList();
Collections.addAll(scopes, commaSeparatedScopes.split(","));
return scopes;
}
@Bean
public OAuth2ClientAuthenticationProcessingFilter oAuth2AuthenticationProcessingFilter(
OAuth2RestTemplate oAuth2RestTemplate, ResourceServerTokenServices resourceServerTokenServices) {
OAuth2ClientAuthenticationProcessingFilter filter =
new OAuth2ClientAuthenticationProcessingFilter("/googleLogin");
filter.setRestTemplate(oAuth2RestTemplate);
filter.setTokenServices(resourceServerTokenServices);
return filter;
}
@Bean
public UserAuthenticationConverter userTokenConverter() {
return new DefaultUserAuthenticationConverter();
}
@Bean
public AccessTokenConverter accessTokenConverter(UserAuthenticationConverter userTokenConverter) {
GoogleAccessTokenConverter accessTokenConverter = new GoogleAccessTokenConverter();
accessTokenConverter.setUserTokenConverter(userTokenConverter);
return new GoogleAccessTokenConverter();
}
@Bean
public GoogleTokenServices tokenServices(AccessTokenConverter accessTokenConverter) {
GoogleTokenServices tokenServices = new GoogleTokenServices();
GoogleClientSecrets.Details web = googleClientSecrets.getWeb();
tokenServices.setCheckTokenEndpointUrl("https://www.googleapis.com/oauth2/v1/tokeninfo");
tokenServices.setClientId(web.getClientId());
tokenServices.setClientSecret(web.getClientSecret());
tokenServices.setAccessTokenConverter(accessTokenConverter);
return tokenServices;
}
@Bean
public OAuth2RestTemplate googleRestTemplate() {
return new OAuth2RestTemplate(googleResource(), new DefaultOAuth2ClientContext(accessTokenRequest));
}
@Bean
public OAuth2ClientContextFilter oauth2ClientContextFilter() {
return new OAuth2ClientContextFilter();
}
@Bean
public LoginUrlAuthenticationEntryPoint clientAuthenticationEntryPoint() {
return new LoginUrlAuthenticationEntryPoint("/googleLogin");
}
}
问题是我不知道在java代码中在哪里设置参数。我试图找到解决问题的办法,但是只看到了使用JS或PHP的解决方案。我发现
授权CodeAccessTokenProvider#getRedirectForAuthorization
负责构建重定向URI,但可用参数有限,因此唯一的选择是在客户端机密中向验证URI
添加HD参数。json
:
"auth_uri": "https://accounts.google.com/o/oauth2/auth?hd=<domain>",
“auth_uri”:https://accounts.google.com/o/oauth2/auth?hd=",
我发现授权CodeAccessTokenProvider#getRedirectForAuthorization
负责构建重定向URI,但可用参数有限,因此唯一的选择是在客户端机密.json中向验证URI
添加HD参数:
"auth_uri": "https://accounts.google.com/o/oauth2/auth?hd=<domain>",
“auth_uri”:https://accounts.google.com/o/oauth2/auth?hd=",
将hd参数添加到URL工作正常。将?hd=MYDOMAIN.com添加到security.oauth2.client.user authorization uri属性中就成功了
这个基本配置在application.properties中为我工作-您可以这样做,也可以使用yaml。当登录请求显示google登录时,域在表单上预先填充
如果您以前使用google托管的私有域和gmail帐户登录过,并且以前需要选择正确的帐户,这将自动选择您的匹配域帐户,并将您发送到安全资源
security.oauth2.client.client-id=123456789-abc123456789.apps.googleusercontent.com
security.oauth2.client.client-secret=yyyyyyyyyyyyyyyyy
security.oauth2.client.access-token-uri=https://www.googleapis.com/oauth2/v3/token
security.oauth2.client.user-authorization-uri=https://accounts.google.com/o/oauth2/auth?hd=MYDOMAIN.com
security.oauth2.client.authentication-scheme=query
security.oauth2.client.scope=email
security.oauth2.client.
security.oauth2.client.client-authentication-scheme=form
security.oauth2.resource.user-info-uri=https://www.googleapis.com/plus/v1/people/me
security.oauth2.resource.prefer-token-info=false
将hd参数添加到URL是有效的。将?hd=MYDOMAIN.com添加到security.oauth2.client.user authorization uri属性中就成功了
这个基本配置在application.properties中为我工作-您可以这样做,也可以使用yaml。当登录请求显示google登录时,域在表单上预先填充
如果您以前使用google托管的私有域和gmail帐户登录过,并且以前需要选择正确的帐户,这将自动选择您的匹配域帐户,并将您发送到安全资源
security.oauth2.client.client-id=123456789-abc123456789.apps.googleusercontent.com
security.oauth2.client.client-secret=yyyyyyyyyyyyyyyyy
security.oauth2.client.access-token-uri=https://www.googleapis.com/oauth2/v3/token
security.oauth2.client.user-authorization-uri=https://accounts.google.com/o/oauth2/auth?hd=MYDOMAIN.com
security.oauth2.client.authentication-scheme=query
security.oauth2.client.scope=email
security.oauth2.client.
security.oauth2.client.client-authentication-scheme=form
security.oauth2.resource.user-info-uri=https://www.googleapis.com/plus/v1/people/me
security.oauth2.resource.prefer-token-info=false