在 Spring 项目中,即使我错误地给出了 oauth2 client-id 参数,也能正常工作

问题描述 投票:0回答:1

在我的项目中,我使用 keycloak 进行 oauth2 下面的参数具体是什么意思?它在什么阶段发挥作用?如果我提供了错误的 client-id 参数,我的项目将正常运行并且令牌将得到验证。

注意:如果我输入无效令牌,安全性会捕获它,因此安全层不会出现问题。

我通过以下请求从 keycloak 获取令牌。

username:test
password:test1
client_id:client-payment
grant_type:password
client_secret:azgf9E8QZxG6lKAYbsYT1

在我的 application.properties 文件中

spring.security.oauth2.client.registration.keycloak.client-id=client-test

即使我输入的参数不正确,令牌也会被验证。到底为什么以及何时使用这些参数?

spring.security.oauth2.client.registration.keycloak.provider=keycloak
spring.security.oauth2.client.registration.keycloak.client-id=client-test
spring.security.oauth2.client.registration.keycloak.client-secret=azgf9E8QZxG6lKAYbsYT1
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.scope=openid,read,write
spring.security.oauth2.client.registration.keycloak.redirect-uri=http://localhost:8087/login/oauth2/code/keycloak


spring.security.oauth2.client.provider.keycloak.authorization-uri=http://localhost:8087/realms/realm-payment/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak.token-uri=http://localhost:8087/realms/realm-/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.user-info-uri=http://localhost:8087/realms/realm-/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.keycloak.jwk-set-uri=http://localhost:8087/realms/realm-/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
spring.security.oauth2.client.provider.keycloak.user-info-authentication-method=header

我的安全课

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {

    private final AuthenticationEntryPoint authenticationEntryPoint;

    private final AuthenticationEntryPoint tokenAuthenticationEntryPoint;

    private final CustomAuthenticationManagerResolver customAuthenticationManagerResolver;

    public SecurityConfig(
            @Qualifier("customAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint,
            @Qualifier("tokenAuthenticationEntryPoint") AuthenticationEntryPoint tokenAuthenticationEntryPoint,
            CustomAuthenticationManagerResolver customAuthenticationManagerResolver) {
        this.authenticationEntryPoint = authenticationEntryPoint;
        this.tokenAuthenticationEntryPoint = tokenAuthenticationEntryPoint;
        this.customAuthenticationManagerResolver= customAuthenticationManagerResolver;
    }

    @Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
            http
                    .cors().and()
                    .authorizeRequests()
                    .anyRequest().authenticated()
                    .and().exceptionHandling()
                    .authenticationEntryPoint(authenticationEntryPoint)
                    .and()
                    .oauth2ResourceServer().authenticationEntryPoint(tokenAuthenticationEntryPoint)
                    .authenticationManagerResolver(request -> customAuthenticationManagerResolver.resolveAuthenticationManager());
        return http.build();
    }
}

你能解释一下情况吗?

spring-boot spring-security oauth-2.0 keycloak spring-security-oauth2
1个回答
0
投票

您正在为 

oauth2ResourceServer
定义配置,客户端属性将被忽略。您的类路径上可能有 
spring-boot-starter-oauth2-resource-server
以及在某处定义的一些 
spring.security.oauth2.resourceserver
属性。资源服务器配置不关心客户端ID

注意

grant_type:password
已弃用,不应使用。就像真的不。这伴随着众所周知的(和被利用的)漏洞。请使用 
authorization_code
来代替。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.