在我的项目中,我使用 keycloak 进行 oauth2 下面的参数具体是什么意思?它在什么阶段发挥作用?如果我提供了错误的 client-id 参数,我的项目将正常运行并且令牌将得到验证。
注意:如果我输入无效令牌,安全性会捕获它,因此安全层不会出现问题。
我通过以下请求从 keycloak 获取令牌。
username:test
password:test1
client_id:client-payment
grant_type:password
client_secret:azgf9E8QZxG6lKAYbsYT1
在我的 application.properties 文件中
spring.security.oauth2.client.registration.keycloak.client-id=client-test
即使我输入的参数不正确,令牌也会被验证。到底为什么以及何时使用这些参数?
spring.security.oauth2.client.registration.keycloak.provider=keycloak
spring.security.oauth2.client.registration.keycloak.client-id=client-test
spring.security.oauth2.client.registration.keycloak.client-secret=azgf9E8QZxG6lKAYbsYT1
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.scope=openid,read,write
spring.security.oauth2.client.registration.keycloak.redirect-uri=http://localhost:8087/login/oauth2/code/keycloak
spring.security.oauth2.client.provider.keycloak.authorization-uri=http://localhost:8087/realms/realm-payment/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak.token-uri=http://localhost:8087/realms/realm-/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.user-info-uri=http://localhost:8087/realms/realm-/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.keycloak.jwk-set-uri=http://localhost:8087/realms/realm-/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
spring.security.oauth2.client.provider.keycloak.user-info-authentication-method=header
我的安全课
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
private final AuthenticationEntryPoint authenticationEntryPoint;
private final AuthenticationEntryPoint tokenAuthenticationEntryPoint;
private final CustomAuthenticationManagerResolver customAuthenticationManagerResolver;
public SecurityConfig(
@Qualifier("customAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint,
@Qualifier("tokenAuthenticationEntryPoint") AuthenticationEntryPoint tokenAuthenticationEntryPoint,
CustomAuthenticationManagerResolver customAuthenticationManagerResolver) {
this.authenticationEntryPoint = authenticationEntryPoint;
this.tokenAuthenticationEntryPoint = tokenAuthenticationEntryPoint;
this.customAuthenticationManagerResolver= customAuthenticationManagerResolver;
}
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http
.cors().and()
.authorizeRequests()
.anyRequest().authenticated()
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.oauth2ResourceServer().authenticationEntryPoint(tokenAuthenticationEntryPoint)
.authenticationManagerResolver(request -> customAuthenticationManagerResolver.resolveAuthenticationManager());
return http.build();
}
}
你能解释一下情况吗?
您正在为
oauth2ResourceServer
定义配置,客户端属性将被忽略。您的类路径上可能有 spring-boot-starter-oauth2-resource-server
以及在某处定义的一些 spring.security.oauth2.resourceserver
属性。资源服务器配置不关心客户端ID
grant_type:password
已弃用,不应使用。就像真的不。这伴随着众所周知的(和被利用的)漏洞。请使用 authorization_code
来代替。