使用spring security使用oauth2client自定义状态参数

klr1opcd  于 2021-07-23  发布在  Java
关注(0)|答案(1)|浏览(657)

我想使用spring security oidc自定义oauth2client的状态参数。我用的是Spring。问题是我无法在客户端注册中添加自定义状态。下面是我的安全配置。

@Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        return http
                .authorizeExchange()
                .pathMatchers("/","/jwt").permitAll()
                .anyExchange().authenticated().and()
                .oauth2Client()
                .build();
    }

@Bean
    public ReactiveClientRegistrationRepository reactiveClientRegistrationRepository(RegisteredClients clients) {
        List<ClientRegistration> clientRegistrations = clients.getClients()
                .entrySet().stream()
                .map(clientRegistration -> {
                    String registrationId = clientRegistration.getKey();
                    RegisteredClients.OAuthClient client = clientRegistration.getValue();

                    return ClientRegistration.withRegistrationId(registrationId)
                            .clientId(client.getClientId())
                            .clientSecret(client.getClientSecret())
                            .redirectUriTemplate(client.getRedirectUri())
                            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                            .tokenUri(client.getTokenUri())
                            .authorizationUri(client.getAuthorizationUri())
                            .scope("openid")
                            .build();
                })
                .collect(toList());
        return new InMemoryReactiveClientRegistrationRepository(clientRegistrations);
    }
nwwlzxa7

nwwlzxa71#

要自定义授权请求,您应该 ServerAuthorizationRequestResolver :

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    return http
        // ...
        .oauth2Client((oauth2) -> oauth2
            .authorizationEndpoint((authorization) -> authorization
                .authorizationRequestResolver(authorizationRequestResolver)
            )
        )
        .build();
}

@Bean
OAuth2ServerAuthorizationRequestResolver authorizationRequestResolver
    (ReactiveClientRegistrationRepository registrations) {

    DefaultServerOAuth2AuthorizationRequestResolver resolver = 
        new DefaultServerOAuth2AuthorizationRequestResolver(registrations);
    resolver.setAuthorizationRequestCustomizer((request) -> request.state(...));
    return resolver;
}

springsecurity有一些相关的servlet文档,可能也很有用。

相关问题