如何为OAuth 2.0设置密码授权凭证?

huangapple
未分类评论50阅读模式
英文:

How to set password grant credentials for OAuth 2.0?

问题

我正在尝试设置一个Spring WebClient实例,以使用OAuth 2.0身份验证和密码授权类型,但我不确定如何正确设置用户名和密码。

在我的应用程序中,相关参数以Map<String, String>的形式接收,而不是从任何application.yaml文件加载。因此,出于这个原因,我正试图以编程方式完成它(即,不使用beans)-我的方法可能一开始就是错误的。

这是我的不起作用的解决方案:

{
    OAuth20Info oAuth20Info = (OAuth20Info) parameters.getAuthenticationInfo();

    ClientRegistration registration = ClientRegistrations.fromOidcIssuerLocation(oAuth20Info.getHost() + ":" + oAuth20Info.getPort()) // host, port
        .clientId(oAuth20Info.getClientId()) // clientId
        .tokenUri(oAuth20Info.getTokenUrlPath()) // tokenUrlPath
        .authorizationGrantType(AuthorizationGrantType.PASSWORD) // grantType
        // TODO: How to set: username, password?
        .build();

    ReactiveClientRegistrationRepository clientRegistrations = new InMemoryReactiveClientRegistrationRepository(registration);

    ServerOAuth2AuthorizedClientExchangeFilterFunction oauth =
        new ServerOAuth2AuthorizedClientExchangeFilterFunction(
            clientRegistrations,
            new UnAuthenticatedServerOAuth2AuthorizedClientRepository());

    return WebClient.builder().filter(oauth).build();
}

因此,我不知道在哪里需要设置用户名和密码。根据此链接的内容:"最新的OAuth 2.0安全最佳当前实践完全禁止使用密码授权",因此我不确定它是否受支持。

我希望能够在ClientRegistration实例的构建器中设置用户名和密码,但这是不可能的。

那么,我如何设置用户名和密码值,以便使用密码授权类型的凭据访问某些受保护的资源?提前感谢您的帮助。

我依据您提供的信息为您进行了翻译,如有需要请随时提问。

英文:

I am trying to set a Spring WebClient instance to use OAuth 2.0 authentication with the password grant type, but I am not sure about how to properly set the username and the password.

In my application, the relevant parameters are received in the form of a Map<String, String> and not loaded from any application.yaml file. For this reason, I'm trying to do it programatically (i.e., without the use of beans) - my approach might be wrong to begin with.

This is my non-working solution:

{
    OAuth20Info oAuth20Info = (OAuth20Info) parameters.getAuthenticationInfo();

    ClientRegistration registration = ClientRegistrations.fromOidcIssuerLocation(oAuth20Info.getHost() + ":" + oAuth20Info.getPort()) // host, port
        .clientId(oAuth20Info.getClientId()) // clientId
        .tokenUri(oAuth20Info.getTokenUrlPath()) // tokenUrlPath
        .authorizationGrantType(AuthorizationGrantType.PASSWORD) // grantType
        // TODO: How to set: username, password?
        .build();

    ReactiveClientRegistrationRepository clientRegistrations = new InMemoryReactiveClientRegistrationRepository(registration);

    ServerOAuth2AuthorizedClientExchangeFilterFunction oauth =
        new ServerOAuth2AuthorizedClientExchangeFilterFunction(
            clientRegistrations,
            new UnAuthenticatedServerOAuth2AuthorizedClientRepository());

    return WebClient.builder().filter(oauth).build();
}

Hence, I don't know where I need to set the username and password. According to this: "The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely", so I am not sure if it is even supported.

I would expect to be able to set the username and password within the builder for the ClientRegistration instance, but it is not possible.

So how could I set the username and password values in order to access some protected resource with password grant type credentials? Thanks in advance.

Relevant part of my dependencies:

<dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-webflux</artifactId>
  <version>5.2.3.RELEASE</version>
</dependency>
<dependency>
  <groupId>io.projectreactor.netty</groupId>
  <artifactId>reactor-netty</artifactId>
  <version>0.9.4.RELEASE</version>
</dependency>
<dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-web</artifactId>
  <version>5.1.7.RELEASE</version>
</dependency>
<dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-core</artifactId>
  <version>5.1.7.RELEASE</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-oauth2-client</artifactId>
  <version>5.2.2.RELEASE</version>
</dependency>
<dependency>
  <groupId>org.springframework.security.oauth</groupId>
  <artifactId>spring-security-oauth2</artifactId>
  <version>2.3.7.RELEASE</version>
</dependency>
<dependency>

答案1

得分: -1

你可以尝试:

WebClient.builder()
    .filter(ExchangeFilterFunctions
        .basicAuthentication(configuration.getClientId(), configuration.getClientSecret()))
    .build()
    .post()
    .uri(...)
    ...

你可以使用ExchangeFilterFunctions类向请求添加授权头。

另一种方式:

WebClient.builder()
    .defaultHeaders(header -> header.setBasicAuth(userName, password))
    ...
英文:

You can try:

        WebClient.builder()
            .filter(ExchangeFilterFunctions
                .basicAuthentication(configuration.getClientId(), configuration.getClientSecret()))
            .build()
            .post()
            .uri(...)
            ...

You can use the ExchangeFilterFunctions class to add an authorization header to a request.

Another way:

        WebClient.builder()
            .defaultHeaders(header -> header.setBasicAuth(userName, password))
            ...

huangapple
  • 本文由 发表于 2020年4月7日 01:11:55
  • 转载请务必保留本文链接:https://java.coder-hub.com/61065190.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定