我目前正在通过社交提供商(谷歌、Facebook 等)使用 spring security 进行 Oauth2 登录。当前设置主要基于以下教程:https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/
即通过点击 REST 端点初始化登录:https://example.com/oauth2/authorize/{registrationId} 在浏览器 cookie 中存储有关登录会话的信息(状态 + 最终 redirectUri)后,将重定向客户端请求提供者的授权 URI。
SecurityConfig.java:
package com.example.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import com.example.security.*;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomOAuth2UserService customOAuth2UserService;
@Autowired
private OAuth2AuthenticationSuccessHandler oAuth2AuthenticationSuccessHandler;
@Autowired
private OAuth2AuthenticationFailureHandler oAuth2AuthenticationFailureHandler;
@Autowired
private HttpCookieOAuth2AuthorizationRequestRepository httpCookieOAuth2AuthorizationRequestRepository;
@Bean
public TokenAuthenticationFilter tokenAuthenticationFilter() {
return new TokenAuthenticationFilter();
}
/*
By default, Spring OAuth2 uses HttpSessionOAuth2AuthorizationRequestRepository to save
the authorization request. But, since our service is stateless, we can't save it in
the session. We'll save the request in a Base64 encoded cookie instead.
*/
@Bean
public HttpCookieOAuth2AuthorizationRequestRepository cookieAuthorizationRequestRepository() {
return new HttpCookieOAuth2AuthorizationRequestRepository();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable()
.formLogin()
.disable()
.httpBasic()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new RestAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/oauth2/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint()
.baseUri("/oauth2/callback/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler)
;
// Add our custom Token based authentication filter
http.addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
public HttpCookieOAuth2AuthorizationRequestRepository getHttpCookieOAuth2AuthorizationRequestRepository() {
return httpCookieOAuth2AuthorizationRequestRepository;
}
public void setHttpCookieOAuth2AuthorizationRequestRepository(
HttpCookieOAuth2AuthorizationRequestRepository httpCookieOAuth2AuthorizationRequestRepository) {
this.httpCookieOAuth2AuthorizationRequestRepository = httpCookieOAuth2AuthorizationRequestRepository;
}
}
如果是谷歌授权,在application.properties中设置如下:
#Social Providers OAuth2 settings
spring.security.oauth2.client.registration.google.clientId=abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com
spring.security.oauth2.client.registration.google.clientSecret=secret
spring.security.oauth2.client.registration.google.redirectUri=https://example.com/oauth2/callback/{registrationId}
spring.security.oauth2.client.registration.google.scope=email,profile
产生下面的 authorisationURI:
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount
?response_type=code
&client_id=abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com
&scope=email%20profile
&state=zyxwvutsrqponmlkjihgfedcba
&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback%2Fgoogle
&service=lso
&o2v=2
&flowName=GeneralOAuthFlow
我想添加一个额外的查询参数:
&prompt=select_account
但我无法弄清楚如何。我尝试将下面的行添加到 application.properties:
spring.security.oauth2.client.registration.google.prompt=select_account
但这没有用(与以前构造的 URI 相同)- 我看不到任何可用于设置此特定参数的属性,如下所列:https://docs.spring.io/spring-security/site/docs/5.2 .12.RELEASE/reference/html/oauth2.html
有没有办法通过 Spring security 附加这些查询参数?