Spring security 在Spring资源服务器中采用JWT的权限
我的Spring OAuth2客户端只将角色用户权限授予经过身份验证的用户,而忽略所提供JWT中Spring security 在Spring资源服务器中采用JWT的权限,spring-security,oauth-2.0,jwt,keycloak,spring-security-oauth2,Spring Security,Oauth 2.0,Jwt,Keycloak,Spring Security Oauth2,我的Spring OAuth2客户端只将角色用户权限授予经过身份验证的用户,而忽略所提供JWT中resource\u access的权限 { "wdb": { "roles": [ "TestRole", "TestRoleFoo", "TestRoleBar" ] } 我如何设置OAuth2客户端以同时授予resource\u access(TestRole、TestRoleFoo、TestRoleBar)的权限?我是否缺少一些关键配置 详细介绍了我的配置 在
resource\u access
的权限
{
"wdb": {
"roles": [
"TestRole",
"TestRoleFoo",
"TestRoleBar"
]
}
我如何设置OAuth2客户端以同时授予resource\u access
(TestRole、TestRoleFoo、TestRoleBar)的权限?我是否缺少一些关键配置
详细介绍了我的配置
在我的资源服务器上,我使用的是Springs默认OAuth2客户端,配置如下:
security:
oauth2:
client:
client-id: wdb
client-secret: some-secret
access-token-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/token
user-authorization-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
scope: openid profile email
authorized-grant-types: code
resource:
user-info-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo
我的KeyClope授权服务器为我提供以下JWT负载:
{
"jti": "6a666808-2b69-4de0-ab94-9ceebdac13de",
"exp": 1569674641,
"nbf": 0,
"iat": 1569674341,
"iss": "http://localhost:8080/auth/realms/master",
"aud": "account",
"sub": "f19b0443-4cce-495a-8479-ff36f82628fc",
"typ": "Bearer",
"azp": "wdb",
"auth_time": 1569674341,
"session_state": "0a411eda-0efb-4f29-99c4-b54da6298d6c",
"acr": "1",
"allowed-origins": [
"/*"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"wdb": {
"roles": [
"TestRole",
"TestRoleFoo",
"TestRoleBar"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"email_verified": true,
"user_name": "sullrich",
"name": "Sebastian Ullrich",
"preferred_username": "sullrich",
"given_name": "Sebastian",
"locale": "de",
"family_name": "Ullrich",
"email": "sebastian@wdb.local"
}
在我的资源服务器中,此JWT将派生到以下的OAuth2Authentication
:
{
"authorities":[
{
"authority":"ROLE_USER"
}
],
"details":{
"remoteAddress":"0:0:0:0:0:0:0:1",
"sessionId":"... session id ...",
"tokenValue":"... encoded payload ...",
"tokenType":"bearer"
},
"authenticated":true,
"userAuthentication":{
"authorities":[
{
"authority":"ROLE_USER"
}
],
"details":{
"sub":"f19b0443-4cce-495a-8479-ff36f82628fc",
"email_verified":true,
"user_name":"sullrich",
"name":"Sebastian Ullrich",
"preferred_username":"sullrich",
"given_name":"Sebastian",
"locale":"de",
"family_name":"Ullrich",
"email":"sebastian@wdb.local"
},
"authenticated":true,
"principal":"Sebastian Ullrich",
"credentials":"N/A",
"name":"Sebastian Ullrich"
},
"principal":"Sebastian Ullrich",
"credentials":"",
"clientOnly":false,
"oauth2Request":{
"clientId":"wdb",
"scope":[
],
"requestParameters":{
},
"resourceIds":[
],
"authorities":[
],
"approved":true,
"refresh":false,
"responseTypes":[
],
"extensions":{
}
},
"name":"Sebastian Ullrich"
}
听起来你需要一个定制的JwtAuthenticationConverter 默认情况下,Spring只将作用域映射到授予的权限中 您可以创建一个扩展默认实现并重写ExtractAuthories方法的类。 然后您就可以访问声明,并可以将它们映射到所需的角色
public class JwtGrantedAuthoritiesConverter extends JwtAuthenticationConverter {
@Override
protected Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
Collection<GrantedAuthority> authorities = super.extractAuthorities(jwt);
if(jwt.containsClaim("roles") && jwt.getClaimAsStringList("roles").contains("TestRole")) {
authorities.add(new SimpleGrantedAuthority("ROLE_TestRole"));
} else {
.........
}
return authorities;
}
您的角色更加嵌套,即在资源访问下。wdb
您始终可以创建一个KeyClope映射器,将它们添加到父节点中的角色下,以简化操作 下面是一个执行类似操作的资源服务器示例
“您始终可以创建一个KeyClope映射器,将它们添加到父节点的角色下,以简化工作。”这为我指明了正确的方向:)谢谢
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
......
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(new JwtGrantedAuthoritiesConverter());