英文:
How to develop Resource Server in OAuth2.0 using Java Spring Boot framework?
问题
以下是翻译好的内容:
我正在尝试开发一个资源服务器,提供将被各种应用程序使用的API。我正在使用Java Spring Boot OAuth 2.0框架。这些应用程序是典型的符合OpenID Connect标准的Web应用程序,将通过/oauth/authorize端点进行授权代码流程。授权被批准后,授权服务器会向应用程序返回访问令牌。然后应用程序使用访问令牌来访问受保护的资源(例如API)。
我专注于资源服务器本身。授权服务器在云中的其他位置。
从API的角度来看,这些是使用@RestController注解公开的REST API,如下所示 -
@RestController
@RequestMapping("/myapi")
以下是我在资源服务器代码中的application.properties中拥有的属性 -
spring.security.oauth2.resourceserver.jwt.jws-algorithm=RS256
spring.security.oauth2.resourceserver.jwt.issuer-uri=
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=
主要类如下 -
@SpringBootApplication
@EnableResourceServer
public class myApplication {
public static void main(String[] args) {
SpringApplication.run(myApplication.class, args);
}
}
以及扩展ResourceServerConfigurerAdapter的类
@Configuration
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter
{
private static final String RESOURCE_ID = "resource-server-rest-api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/myapi/**").authenticated();
}
}
每当我使用POSTMAN调用API时,通过在Authorization标头中传递AccessToken,我会收到invalid_token错误。以下是日志片段 -
DEBUG 25536 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error="invalid_token"
我已经验证了JWT令牌,它具有正确的声明和范围。
现在的问题是:
- 从代码角度来看,资源服务器是否有遗漏的部分?
- 应用程序属性是否正确,或者还需要添加其他内容?
资源服务器是否需要在运行时与授权服务器进行交互?如果是,那么在哪里指定?
英文:
I'm trying to develop resource server that provides APIs that will be consumed by various applications.
I'm using java spring boot oauth2.0 framework. The applications are web applications that are typical OpenID Connect compliant web applications that will go through the /oauth/authorize endpoint using the authorization code flow. When the authorization is granted, the authorization server returns an access token to the application. The application then uses the access token to access a protected resource (like an API).
My focus is on the Resource Server itself.The Authorization Server is external elsewhere in the cloud.
From APIs standpoint these are REST APIs that are exposed using @RestController annotation like below -
@RestController
@RequestMapping("/myapi")
Below are the properties I'm having in the application.properties in my resource server code -
spring.security.oauth2.resourceserver.jwt.jws-algorithm=RS256
spring.security.oauth2.resourceserver.jwt.issuer-uri=
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=
The main class is as follows -
SpringBootApplication
@EnableResourceServer
public class myApplication {
public static void main(String[] args) {
SpringApplication.run(myApplication .class, args);
}
}
and the class that extends ResourceServerConfigurerAdapter
@Configuration
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter
{
private static final String RESOURCE_ID = "resource-server-rest-api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/myapi/**").authenticated();
}
}
Whenever I'm calling the API using POSTMAN while passing AccessToken in the Authorization header, I'm getting invalid_token error.
Below is the snippet of the log -
DEBUG 25536 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error="invalid_token"
I have verified jwt token, it has correct claims and scopes.
Now question is
- Is something missing in the resource server from code standpoint?
- Are the application properties correct or anything more need to be added?
Does Resource Server need to interact with Authorization server at run-time? If yes, where is that specified?
专注分享java语言的经验与见解,让所有开发者获益!
评论