Java 带PKCE的springdoc openapi ui OAuth 2.0授权代码流
我正在使用springdoc-openapi-ui-1.4.3的招摇过市Java 带PKCE的springdoc openapi ui OAuth 2.0授权代码流,java,spring,spring-boot,spring-security,springdoc,Java,Spring,Spring Boot,Spring Security,Springdoc,我正在使用springdoc-openapi-ui-1.4.3的招摇过市 @SecurityRequirement(name = "security_auth") public class ProductController {} 设置安全架构 @SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2, flows = @OAuthFlows(auth
@SecurityRequirement(name = "security_auth")
public class ProductController {}
设置安全架构
@SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2,
flows = @OAuthFlows(authorizationCode = @OAuthFlow(
authorizationUrl = "${springdoc.oAuthFlow.authorizationUrl}"
, tokenUrl = "${springdoc.oAuthFlow.tokenUrl}",scopes = {
@OAuthScope(name = "IdentityPortal.API", description = "IdentityPortal.API")})))
public class OpenApiConfig {}
安全配置
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {// @formatter:off
http
.authorizeRequests()
.antMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html")
.permitAll()
.antMatchers(HttpMethod.GET, "/user/info", "/api/foos/**")
.hasAuthority("SCOPE_read")
.antMatchers(HttpMethod.POST, "/api/foos")
.hasAuthority("SCOPE_write")
.anyRequest()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
}
}
有依赖关系
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
implementation 'org.springdoc:springdoc-openapi-ui:1.4.3'
implementation 'org.springdoc:springdoc-openapi-security:1.4.3'
implementation "org.springframework.boot:spring-boot-starter-security"
配置设置
spring:
profiles:
active: dev
####### resource server configuration properties
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://localhost:5001
jwk-set-uri: https://localhost:5001/connect/token
springdoc:
swagger-ui:
oauth:
clientId: Local
usepkcewithauthorizationcodegrant: true
oAuthFlow:
authorizationUrl: https://localhost:5001
tokenUrl: https://localhost:5001/connect/token
在swagger UI中,clientId为空且存在客户端机密,因为授权码+PKCE流客户端机密不应存在
您的属性语法
使用PKCEWithAuthorizationCodeGrant
不正确:
以下是PKCE的正确属性:
springdoc.swagger-ui.oauth.use-pkce-with-authorization-code-grant=true
要填充客户端id,只需使用:
springdoc.swagger-ui.oauth.client-id=yourSPAClientId
感谢您对可以隐藏的现有秘密文件的评论。这看起来像是对swagger ui的增强
您应该提交一份对swagger ui项目的增强:
@SecurityScheme(name=“security\u auth”,type=SecuritySchemeType.OAUTH2,
flows=@OAuthFlows(授权代码=@OAuthFlow(
authorizationUrl=“${springdoc.oAuthFlow.authorizationUrl}”
,tokenUrl=“${springdoc.oAuthFlow.tokenUrl}”))
公共类OpenApiConfig{}
如果要使用PKCE而不是纯隐式set-property属性(如@brianbro所指)和伪秘密,则如下所示:
springdoc.swagger ui.oauth.使用授权码为grant=true的pkce
springdoc.swagger ui.oauth.clent secret=justFillerBecausePKCEUsed
最后,如果要预先填充客户端id,请使用配置:
springdoc.swagger ui.oauth.client id=YourClientId
在哪里可以找到为Java设置这些东西的文档?我似乎找不到太多注释或示例配置之类的东西。这是我发现的最有帮助的帖子。谢谢你的帮助@San Jaisy