Oauth2.0|Oauth2.0基于Spring Authorization Server模块private_key_jwt模式
介绍 处理oauth2.0请求授权client授权模式, 使用授权服务器对客户端进行身份验证时使用的身份验证方法
- client_secret_basic
- client_secret_post
- client_secret_jwt
- private_key_jwt
- none
| 序号 | 授权服务器对客户端进行身份验证时使用的身份验证方法 | 说明 |
|---|---|---|
| 3 | private_key_jwt | JwtClientAssertionAuthenticationConverter |
1. maven项目依赖
spring-authorization-server v0.2.2
2. 生成clientId/clientSecurity授权记录 新增客户端授权记录(oauth2_registered_client), 配置jwt属性ClientSettings
void savePriKeyJwt() {
String id = UUID.randomUUID().toString().replaceAll("-", "");
String jwkSetUri = "http://127.0.0.1:9000/uc/resources";
TokenSettings tokenSettings = TokenSettings.builder()
.reuseRefreshTokens(true)
.refreshTokenTimeToLive(Duration.ofDays(7))
.accessTokenTimeToLive(Duration.ofHours(8))
.idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
.reuseRefreshTokens(false)
.build();
ClientSettings clientSettings = ClientSettings.builder()
.tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256)
.jwkSetUrl(jwkSetUri)
.build();
RegisteredClient client = RegisteredClient.withId(id)
.clientId("8000000015")
.clientIdIssuedAt(Instant.now())
.clientSecret("")
.clientSecretExpiresAt(Instant.now().plus(Period.ofDays(20)))
.clientName("Client credentials private_key_jwt有限公司")
.clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.scope("server")
.tokenSettings(tokenSettings)
.clientSettings(clientSettings)
.build();
registeredClientRepository.save(client);
log.info("===>{}", JsonUtils.toJsonString(client));
}
3. 生成客户端clientSecurity JWT值
// 先产生公私钥对
void generateJwk() throws Exception {
String keyId = "8000000015";
KeyPair keyPair = keyPair();
JWK jwk = new RSAKey.Builder((RSAPublicKey) keyPair.getPublic())
.privateKey((RSAPrivateKey) keyPair.getPrivate())
.keyUse(KeyUse.SIGNATURE)
.keyID(keyId)
.algorithm(JWSAlgorithm.RS256)
.build();
log.info("===>jwk: {}", jwk.toJSONString());
writePemFile(jwk.toRSAKey().toPrivateKey(), "RSA PRIVATE KEY", "id_rsa");
}// 生成8000000015机构下jwt client 授权token
void priKeyJwt() throws Exception {
String clientId = "8000000015";
String jwkSetUri = "http://127.0.0.1:9000/uc/resources";
RSAPrivateKey privateKey = PemFile.readPrivateKey(PemFile.dir + "id_rsa");
JWSSigner signer = new RSASSASigner(privateKey);
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject(clientId)
.issuer(clientId)
.claim("username", "19000000000")
.claim("password", "abc@123")
.audience("http://auth-server:9000")
.expirationTime(new Date(new Date().getTime() + 60 * 60 * 60 * 1000))
.build();
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256)
.keyID(clientId)
.build();
SignedJWT signedJWT = new SignedJWT(header, claimsSet);
signedJWT.sign(signer);
String token = signedJWT.serialize();
log.info("===>token: {}", token);
}
4. 基于client_credentials/client_secret_jwt授权模式测试数据
| 序号 | Http请求Query params | 参数值 |
|---|---|---|
| 1 | scope | 域 |
| 2 | grant_type | 授权类型:client_credentials |
| 3 | client_assertion_type | jwt type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
| 4 | client_assertion | 基于密钥生成token 值 |
| 5 | client_id | 8000000015 |
## 基于Authorization private_key_jwt(公私钥)请求
curl --location --request POST 'http://127.0.0.1:9000/uc/oauth2/token?scope=server&grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJraWQiOiI4MDAwMDAwMDE1IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI4MDAwMDAwMDE1IiwiYXVkIjoiaHR0cDpcL1wvYXV0aC1zZXJ2ZXI6OTAwMCIsInBhc3N3b3JkIjoiYWJjQDEyMyIsImlzcyI6IjgwMDAwMDAwMTUiLCJleHAiOjE2NDc3ODM5NjIsInVzZXJuYW1lIjoiMTkwMDAwMDAwMDAifQ.O8C_8BRZDceymuFZV_TPs5smTO4X8FPavYx9i-6kyVP-Q-dz-NA4t2Dp1MDe-x0HsNuSuQbdEXX_Cg_mzPfuXr6xcSMdZdiiItPTuYm4WUxzZJ-EtcpmsfvHbnlwP9WDRZg7C873Tu0nflCblpIG5W4lN1SVXnv5Vsqft0Fl9y0M_AWWeRwbQa3xDZp1hoQTz5moK3Z8tTcz8usk3vwBoGUmj1lEjBvgenXfP4bwXw1jFxhCERCFJgWwYnbpSFzzIsBqMmHo4pr9fLvoaA4HxAcvFWkozptYSv18hJa-JpJTDed3phNzAstsME9sPqGFNaPuo3yCfUWzkS7tGaSCQA&client_id=8000000015' \
--header 'Cookie: JSESSIONID=6F5102DA9F8CE3FCA95E7D899FC5BBAB'
5.项目完整地址 Oauth2.0基于Spring Authorization Server private_key_jwt模式 Github 地址
【Oauth2.0|Oauth2.0基于Spring Authorization Server模块private_key_jwt模式】Oauth2.0基于Spring Authorization Server模块private_key_jwt模式 Gitee 地址
推荐阅读
- java|SpringBoot从入门到入门学习笔记
- Oauth2.0|Oauth2.0基于Spring Authorization Server模块client_secret_basic或者post
- spring|SpringBoot 集成minio MinioClient无法依赖问题-已解决
- MyBatis|Spring Boot(十)(Druid的监控统计和多数据源配置)
- vue|基于spring cloud + nacos + gateway + ssm+的学生管理系统
- 微服务之Spring|十、API网关
- spring|springboot文件上传与下载
- SpringBoot|SpringBoot整合Spring Boot Admin实现服务监控
- Oauth2.0|Oauth2.0基于Spring Authorization Server模块client_secret_jwt模式