当我尝试使用 spring-boot-starter-oauth2-resource-server 依赖项并将我的服务设置为 oauth2资源服务时,我就会出现一个问题。
我已经配置了 spring oauth2资源服务器没有 spring.security.oauth2.resourceserver.jwt.issuer-uri 都不。
而不是这些,我指导了 spring oauth2资源服务器库如何解码JWT。我刚刚创建了一个 reactivejwtdecoder :
@Bean
public ReactiveJwtDecoder reactiveJwtDecoder() throws Exception {
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec("JAC1O17W1F3QB9E8B4B1MT6QKYOQB36V".getBytes(), mac.getAlgorithm());
return NimbusReactiveJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(MacAlgorithm.HS256)
.build();
}
这样,我就可以验证JWT令牌。
在我的脑海中引起的问题是:
对oauth ,说:
客户通过介绍访问来访问受保护的资源
标记为资源服务器。资源服务器必须验证
访问令牌并确保其尚未过期并确保其范围
涵盖请求的资源。资源使用的方法
服务器验证访问令牌(以及任何错误响应)
超出了此规范的范围,但通常涉及
资源服务器与
授权服务器。
Spring OAuth2资源服务器库工作良好吗?
A question has arised to me when I've tried to use spring-boot-starter-oauth2-resource-server dependency and set up my service as a oauth2 resource service.
I've configured spring oauth2 resource server without spring.security.oauth2.resourceserver.jwt.issuer-uri neither jwk-set-uri properties.
Instead of that, I've instructed spring oauth2 resource server library how to decode JWT. I've just created an ReactiveJwtDecoder:
@Bean
public ReactiveJwtDecoder reactiveJwtDecoder() throws Exception {
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec("JAC1O17W1F3QB9E8B4B1MT6QKYOQB36V".getBytes(), mac.getAlgorithm());
return NimbusReactiveJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(MacAlgorithm.HS256)
.build();
}
With that, I'm able to validate jwt tokens.
Question arised in my mind is:
Acording to oauth rfc6749, "Accessing Protected Resources" section, says that:
The client accesses protected resources by presenting the access
token to the resource server. The resource server MUST validate the
access token and ensure that it has not expired and that its scope
covers the requested resource. The methods used by the resource
server to validate the access token (as well as any error responses)
are beyond the scope of this specification but generally involve an
interaction or coordination between the resource server and the
authorization server.
Is spring oauth2 resource server library working well?
发布评论
评论(1)
这种方法没有错。这里可能的问题是
您正在使用对称键。通过这种方法,您正在使用相同的键来签名令牌和验证其签名。这意味着您需要与身份验证过程中所涉及的所有应用程序共享用于签名令牌的密钥,而这些应用程序并非总是可能的,并且资源服务器具有太多的功率。
为了保留授权服务的关键,资源服务器中有一个选项使用授权服务曝光的特殊端点来验证令牌。
另一种方法是使用不对称的钥匙对签名和验证令牌。在这种情况下,专用密钥将仅分配给授权服务,并且可以与身份验证过程中涉及的所有应用程序共享公共密钥。
There is nothing wrong with such approach. The possible issue here is that
you are using symmetric key. With this approach you are using the same key for both signing a token and validating its signature. It means you need to share the key used to sign tokens with all the applications involved in the authentication process that is not always possible and resource server has too much power.
To keep key on authorization service only, there is an option in the resources server to use special endpoint, exposed by authorization service, to validate the token.
Another approach would be to use asymmetric key pair to sign and validate tokens. In this case private key will be assigned to authorization service only and public key could be shared with all the applications involved in the authentication process.