在 Spring Oauth2 授权服务器中有一个内置的端点
/oauth2/introspect
来检查令牌,但它需要在显示响应之前进行身份验证。但要求是在没有身份验证的情况下检查令牌。如下面的代码所示,我试图允许所有内置端点/oauth2/introspect**
允许所有但它仍在尝试进行身份验证。
maven 依赖
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>0.3.1</version>
</dependency>
代码
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors()
.configurationSource(request -> new CorsConfiguration()
.applyPermitDefaultValues());
OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer<>();
RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();
http.csrf().disable();
http.requestMatcher(endpointsMatcher)
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/oauth2/introspect**").permitAll()
.anyRequest().authenticated())
.csrf(csrf -> csrf.ignoringAntMatchers("/oauth2/token**","/oauth2/introspect**"))
.apply(authorizationServerConfigurer);
return http.build();
}
@Bean
public RegisteredClientRepository registeredClientRepository() {
RegisteredClient registeredClient = RegisteredClient
.withId(UUID.randomUUID().toString())
.clientId("client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.clientSettings(ClientSettings.builder()
.tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256)
.build())
.tokenSettings(TokenSettings.builder()
.accessTokenFormat(OAuth2TokenFormat.REFERENCE)
.idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
.accessTokenTimeToLive(Duration.ofMinutes(15))
.build())
.scope("read")
.build();
return new InMemoryRegisteredClientRepository(registeredClient);
}