Spring Boot 如何使用具有不同作用域的OAuth2客户端为Sping Boot 2创建自定义重定向控制器?

ne5o7dgx  于 2023-10-16  发布在  Spring
关注(0)|答案(1)|浏览(102)

我的问题有点不寻常,我正在努力创建一个自定义的@RestController,每次为我的应用程序启动一个不同范围的OAuth2登录过程?
更具体地说,我有一个这样的示例配置:

spring:
  security:
    oauth2:
      client:
        registration:
          my-client:
            clientId: client1
            clientSecret: some-password
            // Basic the property `scope` is not provided here, but in the controller
        provider:
          my-client:
            authorizationUri: https://somehost.com/oauth
            userInfoUri: https://somehost.com/data
            tokenUri: https://somehost.com/oauth/token
            redirectUri: https://somehost.com/oauth
            authorizationGrantType: authorization_code
            clientAuthenticationMethod: client_secret_post

我想要创建的是一个API端点,它充当代理端点,根据提供的scope将用户移动到登录页面。

@GetMapping(path="/redirect-to-login")
public ResponseEntity<?> proxyLogin(@RequestParam("scope") final String scope) {
 log.info("Received scope: {}", scope);
 // TODO: What needs to happen here, is that I need to generate a new login here
 // TODO: for the requested OAuth2 Client scope and redirect the user to the login page of
 // TODO: the provider with the scope.
}

我尝试接收OAuth2ClientRegistrationRepository的所有客户端注册,并尝试扩展它以提供该范围,但我无法弄清楚。

xqkwcwgp

xqkwcwgp1#

您可以为所需的每个“登录配置文件”定义注册:

spring:
  security:
    oauth2:
      client:
        provider:
          my-provider:
            authorizationUri: https://somehost.com/oauth
            userInfoUri: https://somehost.com/data
            tokenUri: https://somehost.com/oauth/token
            redirectUri: https://somehost.com/oauth
            authorizationGrantType: authorization_code
            clientAuthenticationMethod: client_secret_post
        registration:
          reagistration-a:
            provider: my-provider
            clientId: client1
            clientSecret: some-password
            scope:
            - openid
            - profile
            - email
            - offline_access
            - roles
          reagistration-b:
            provider: my-provider
            clientId: client1
            clientSecret: some-password
            scope:
            - openid
            - offline_access
            - whatever-scope

然后,前端通过在正确的URI处重定向来启动authorization_code流:/oauth2/authorization/{registration-id}(设置一个路径值,而不是您调用的请求参数scope的值)

相关问题