spring OAuth2身份验证服务器访问标记从JWT标记到OAuth标记

mklgxw1f  于 2022-10-30  发布在  Spring
关注(0)|答案(1)|浏览(174)

是否有可能将标记从JWT标记更改为OAuth2标记。
示例代码来自每日代码缓冲器https://github.com/shabbirdwd53/spring-security-tutorial/blob/main/Oauth-authorization-server/src/main/java/com/dailycodebuffer/oauthserver/config/AuthorizationServerConfig.java

@Bean
    public JWKSource<SecurityContext> jwkSource() {
        RSAKey rsaKey = generateRsa();
        JWKSet jwkSet = new JWKSet(rsaKey);
        return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
    }

    private static RSAKey generateRsa() {
        KeyPair keyPair = generateRsaKey();
        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
        RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
        return new RSAKey.Builder(publicKey)
                .privateKey(privateKey)
                .keyID(UUID.randomUUID().toString())
                .build();
    }

    private static KeyPair generateRsaKey() {
        KeyPair keyPair;
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            keyPair = keyPairGenerator.generateKeyPair();
        } catch (Exception ex) {
            throw new IllegalStateException(ex);
        }
        return keyPair;
    }

/oauth2/令牌终结点

{
    "access_token": "eyJraWQiOiI3MzA5MmI1Yy00MDc0LTRkZjktOTdhNS1kMzA3N2E4NDNhYzciLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjbGllbnQiLCJhdWQiOiJjbGllbnQiLCJuYmYiOjE2NjY2NzgyNTYsInNjb3BlIjpbInJlYWQiXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwMDAiLCJleHAiOjE2NjY2NzkxNTYsImlhdCI6MTY2NjY3ODI1Nn0.QJOMrp2unqLP-nGYo5lnlg1Q3_XXR2XZBTQqt3C9tkhiVs4I2dDjaWze1LrnjEnP2hfb89XqpT1k1AjR_ApsOx5H8PcqqZ0Eaq89ICX6bu3LFo2HApYlV5kRQTD3HQq0uiA_hn9TTdvBJhM5Kz9_0rPQVzBpNqWGnkWzGvbukRPgnBYLNi6lVwOG3mZxkP8aNiOn5Z5PMo9pll6idQLadJtFQ7fKTjG8mFqh1BtLwpmH4U60dzaieafCXwczywKq0xVzk9asB9c0-gw_BbeK4Vns3tp8AzCCyH4rRwy6ssVblUlycyss7scpY9s2ibUZ6N3xg97nowp9Ygqjv_bccw",
    "scope": "read",
    "token_type": "Bearer",
    "expires_in": 899
}
qcuzuvrc

qcuzuvrc1#

Oauth(2)标准没有对令牌格式做任何假设,授权服务器可以完全按照自己的意愿使用令牌。
如果授权服务器发布JWT标记,则其他OAuth2参与者可以使用不超过授权服务器公钥的标记进行解码和验证。
其他令牌格式被认为是“不透明的”,并且必须被提交到各种授权服务器端点以进行验证、用户详细信息等。

相关问题