Oauth2.0|Oauth2.0基于Spring Authorization Server模块client_secret_jwt模式

介绍 处理oauth2.0请求授权client授权模式, 使用授权服务器对客户端进行身份验证时使用的身份验证方法

  • client_secret_basic
  • client_secret_post
  • client_secret_jwt
  • private_key_jwt
  • none
序号 授权服务器对客户端进行身份验证时使用的身份验证方法 说明
3 client_secret_jwt JwtClientAssertionAuthenticationConverter
基于项目:Spring Authorization Server
1. maven项目依赖
spring-authorization-server v0.2.2

2. 生成clientId/clientSecurity授权记录 新增客户端授权记录(oauth2_registered_client), 配置jwt属性ClientSettings
@Test void saveJwt() { String id = UUID.randomUUID().toString().replaceAll("-", ""); TokenSettings tokenSettings = TokenSettings.builder() .reuseRefreshTokens(true) .refreshTokenTimeToLive(Duration.ofDays(7)) .accessTokenTimeToLive(Duration.ofHours(8)) .idTokenSignatureAlgorithm(SignatureAlgorithm.RS256) .reuseRefreshTokens(false) .build(); ClientSettings clientSettings = ClientSettings.builder() .tokenEndpointAuthenticationSigningAlgorithm(MacAlgorithm.HS256) .build(); RegisteredClient client = RegisteredClient.withId(id) .clientId("8000000014") .clientIdIssuedAt(Instant.now()) .clientSecret("a5a0ddb27da70b41d31954d0c51419d8") .clientSecretExpiresAt(Instant.now().plus(Period.ofDays(20))) .clientName("Client credentials client_secret_jwt有限公司") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_JWT) .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .scope("server") .tokenSettings(tokenSettings) .clientSettings(clientSettings) .build(); registeredClientRepository.save(client); log.info("===>{}", JsonUtils.toJsonString(client)); }

3. 生成客户端clientSecurity JWT值
String clientId = "8000000014"; String clientSecret = "a5a0ddb27da70b41d31954d0c51419d8"; SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256"); JWSSigner signer = new MACSigner(secretKeySpec); JWTClaimsSet claimsSet = new JWTClaimsSet.Builder() .subject(clientId) .issuer(clientId) .claim("username", "19000000000") .claim("password", "abc@123") .audience("http://auth-server:9000") .expirationTime(new Date(new Date().getTime() + 60 * 60 * 60 * 1000)) .build(); SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet); signedJWT.sign(signer); String token = signedJWT.serialize(); log.info("===>token: {}", token);

4. 基于client_credentials/client_secret_jwt授权模式测试数据
序号 Http请求Query params 参数值
1 scope
2 grant_type 授权类型:client_credentials
3 client_assertion_type jwt type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
4 client_assertion Jwt token 值
5 client_id 8000000014
## 基于Authorization client_secret_jwt请求 curl --location --request POST 'http://127.0.0.1:9000/uc/oauth2/token?scope=server&grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI4MDAwMDAwMDE0IiwiYXVkIjoiaHR0cDpcL1wvYXV0aC1zZXJ2ZXI6OTAwMCIsInBhc3N3b3JkIjoiYWJjQDEyMyIsImlzcyI6IjgwMDAwMDAwMTQiLCJleHAiOjE2NDc3MjE1NTYsInVzZXJuYW1lIjoiMTkwMDAwMDAwMDAifQ.w3IA5_qoYtrQmZ4fvdqxOsfIuIJ1rwNIU72b8__o7FE&client_id=8000000014'

5.项目完整地址 【Oauth2.0|Oauth2.0基于Spring Authorization Server模块client_secret_jwt模式】Oauth2.0基于Spring Authorization Server client_secret_jwt模式 Github 地址
Oauth2.0基于Spring Authorization Server模块client_secret_jwt模式 Gitee 地址

    推荐阅读