如何在春季授权服务器中丰富JWT？

发布于 2025-02-13 07:05:47 字数 1127 浏览 0 评论 0原文

我有一个带有微服务体系结构的SaaS服务器。身份验证是由新的 Spring授权服务器。对于某些领域的情况，我希望能够重新评估登录用户的JWT，而无需强迫用户再次输入其密码以通过其他索赔来丰富他们的令牌。

：登录用户使用索赔集

A。

拥有像这样：

@PostMapping("/renew")
public Authentication token() {
    return jwtAuthenticationProvider.authenticate(
            new BearerTokenAuthenticationToken(JwtUtil.getCurrentAuthenticationTokenValue())
    );
}

where jwtutil.getCurrentAuthenticationTokenValue（）从security> security> security> securitycontextholder提取登录的用户令牌值。此设置没有创建新的令牌，并像没有触发身份验证过程一样返回旧的令牌。

但是我找不到在Spring授权服务器中生成新令牌的函数/服务。

PS。我不能使用RefReshToken来获取新的访问权限，因为我的客户端是公开的，并且根据 this ，仅向机密客户发行重新刷新。

原文

I have a SAAS server with microservice architecture. Authentication is done by the new Spring authorization server. For some domain situation, I want to be able to re-issue a JWT for a logged-in user without forcing the user to enter their password again to enrich their token with additional claims.

Having: Logged-in user with claim set A.

Required: Create a new token for the user with claim set B. (Without user intervention)

I'm looking for something like this:

@PostMapping("/renew")
public Authentication token() {
    return jwtAuthenticationProvider.authenticate(
            new BearerTokenAuthenticationToken(JwtUtil.getCurrentAuthenticationTokenValue())
    );
}

Where JwtUtil.getCurrentAuthenticationTokenValue() extracts logged-in user token value from SecurityContextHolder. This setup creates no new token and returns the old one like no authentication process has been triggered.

But I cannot find a function/service that generates a new token in spring authorization server.

PS. I cannot use RefreshToken to get new AccessToken because my client is public and according to this, RefreshToken only is issued for confidential clients.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

烟花易冷人易散 2025-02-20 07:05:47

您可以阅读有关 oauth2tokencustomizer 在文档中。这是自定义访问令牌的一个示例：

    @Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer() {
        return (context) -> {
            if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
                context.getClaims().claims((claims) -> {
                    claims.put("claim-1", "value-1");
                    claims.put("claim-2", "value-2");
                });
            }
        };
    }

在您的情况下，您可以向授权端点（例如get> get/oauth2/授权？...）向客户发出新请求。 >授权_Code带有不同范围或其他请求参数的流动，并使用自定义器添加您需要的任何要求。根据您提供的信息，这是使用授权服务器发布新令牌的建议方法。

添加自定义端点以执行与OAUTH2相关的操作（例如自定义/续订端点），而无需合并规范的最佳实践和标准不是不建议。

You can read about OAuth2TokenCustomizer in the docs. Here's an example of customizing the access token:

    @Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer() {
        return (context) -> {
            if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
                context.getClaims().claims((claims) -> {
                    claims.put("claim-1", "value-1");
                    claims.put("claim-2", "value-2");
                });
            }
        };
    }

In your case, you could issue a new request to the authorization endpoint (e.g. GET /oauth2/authorize?...) from the client to begin the authorization_code flow with different scopes or additional request parameters and use the customizer to add whatever claims you need. Based on the information you've provided, this would be the recommended way to use the authorization server to issue new tokens.

Adding custom endpoints to perform OAuth2-related actions (such as a custom /renew endpoint) without incorporating best practices and standards from the specification(s) would not be recommended.

回复收藏 0 原文

~没有更多了~