我正在尝试针对外部身份提供商进行授权。一切看起来都设置得很好,但我的身份提供商不断收到验证错误,因为自动附加到我的授权请求上的
state
参数不够长:
例如:
&state=uYG5DC
我的 IDP 的要求是这个
state
参数必须至少有 32 个字符长。如何以编程方式增加此自动生成的数字的大小?
即使我可以自己生成这个数字,也不可能用我见过的建议的其他方法覆盖。以下尝试失败,因为我手动设置的
?state=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
被实际请求期间放置在其后面的自动生成的参数所取代:
@Bean
public OAuth2ProtectedResourceDetails loginGovOpenId() {
AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails() {
@Override
public String getUserAuthorizationUri() {
return super.getUserAuthorizationUri() + "?state=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz";
}
};
details.setClientId(clientId);
details.setAccessTokenUri(accessTokenUri);
details.setUserAuthorizationUri(userAuthorizationUri);
details.setScope(Arrays.asList("openid", "email"));
details.setPreEstablishedRedirectUri(redirectUri);
details.setUseCurrentUri(true);
return details;
}
这里似乎设置了6个字符的设置,有没有办法覆盖这个? https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java
在这篇文章的帮助下: spring security StateKeyGenerator 自定义实例
我能够想出一个可行的解决方案。
在我的配置类中标有这些注释:
@Configuration
@EnableOAuth2Client
我配置了以下bean:
@Bean
public OAuth2ProtectedResourceDetails loginGovOpenId() {
AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
AuthorizationCodeResourceDetails details = new
details.setClientId(clientId);
details.setClientSecret(clientSecret);
details.setAccessTokenUri(accessTokenUri);
details.setUserAuthorizationUri(userAuthorizationUri);
details.setScope(Arrays.asList("openid", "email"));
details.setPreEstablishedRedirectUri(redirectUri);
details.setUseCurrentUri(true);
return details;
}
@Bean
public StateKeyGenerator stateKeyGenerator() {
return new CustomStateKeyGenerator();
}
@Bean
public AccessTokenProvider accessTokenProvider() {
AuthorizationCodeAccessTokenProvider accessTokenProvider = new AuthorizationCodeAccessTokenProvider();
accessTokenProvider.setStateKeyGenerator(stateKeyGenerator());
return accessTokenProvider;
}
@Bean
public OAuth2RestTemplate loginGovOpenIdTemplate(final OAuth2ClientContext clientContext) {
final OAuth2RestTemplate template = new OAuth2RestTemplate(loginGovOpenId(), clientContext);
template.setAccessTokenProvider(accessTokenProvider());
return template;
}
我的
CustomStateKeyGenerator
实现类如下所示:
public class CustomStateKeyGenerator implements StateKeyGenerator {
// login.gov requires state to be at least 32-characters long
private static int length = 32;
private RandomValueStringGenerator generator = new RandomValueStringGenerator(length);
@Override
public String generateKey(OAuth2ProtectedResourceDetails resource) {
return generator.generate();
}
}