我正在通过第三方的OAuth2登录使用Spring-Boot和Spring Security。
SSO提供者具有一个访问令牌端点,该端点返回以下JSON
{
"access_token": "CGjok",
"refresh_token": "TSHO6E",
"scope": "openid profile ",
"id_token": "eyJ0eXAiOiJKV1QiLCg",
"token_type": "Bearer",
"expires_in": 7199,
"nonce": "ImplicitFlowTest"
}
登录名使用@ EnableOAuth2Sso批注,如下所示:
@EnableOAuth2Sso
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/restapi/**").hasAuthority("Mitarbeiter")
.antMatchers("/login", "/static/**", "/", "/actuator/prometheus","/error**","/logout").permitAll()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).invalidateHttpSession(true)
.deleteCookies("SMSESSION", "JSESSIONID", "XSRF-TOKEN").logoutSuccessUrl("/");
http
// CSRF Token
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
我们能够注销该应用程序,但我们也想向授权服务器发送请求。为此,我需要访问令牌信息端点。
在我的控制器中,我能够看到Principal从用户端点获取了正确的信息,但是在Spring Boot中,存储了来自accessToken端点的信息。我已经找到了OAuth2AccessToken类,但是无法弄清楚如何在Spring Controller中读取它。我可以通过按预期方式投射Principal来访问OAuth2Authentication。
SSO授权服务器具有以下我需要呼叫的端点:
/oauth2/connect/endSession?id_token_hint=<oidc-token>&post_logout_redirect_uri=<post-logout-redirect-uri>
The引用来自访问令牌端点的JSON中的值。给定设置后,如何访问这些值?
从安全上下文中读取令牌值
String tokenValue = null;
final Authentication authenticationObject = SecurityContextHolder.getContext().getAuthentication();
if (authenticationObject != null) {
final Object detailObject = authenticationObject.getDetails();
if (detailObject instanceof OAuth2AuthenticationDetails) {
final OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) detailObject;
tokenValue = details.getTokenValue();
} else if (detailObject instanceof OAuth2AccessToken) {
final OAuth2AccessToken token = (OAuth2AccessToken) detailObject;
tokenValue = token.getValue();
} else {
tokenValue = null;
}
}