如何解决在Oauth2中使用resourceId的意义是什么?它在代币生成过程中发挥任何作用吗?
我正在oauth2中使用密码授予流程。最初,我使用resourceId“ api”注册了客户端并生成了令牌。现在,使用该令牌,我可以访问任何资源。再次,我注册了一个没有resourceId的新客户端,并生成了令牌。使用此令牌,我再次被允许访问任何资源。那么这是否意味着一个令牌可以访问任何资源?或为特定资源生成的令牌只能访问该特定资源。如果是这样,我在做什么错了?
//This is authorization server
@EnableAuthorizationServer
@Configuration
public class OauthConfiguration extends AuthorizationServerConfigurerAdapter {
private final UserDetailsService userService;
private final AuthenticationManager authenticationManager;
@Value("${oauth2.clientId:mobile-app}")
private String clientId;
@Value("${oauth2.clientSecret:mobile123}")
private String clientSecret;
@Value("${oauth2.accessTokenValiditySeconds:43200}") //12 hrs
private int accessTokenValiditySeconds;
@Value("${oauth2.refreshTokenValiditySeconds:2592000}") //30days
private int refreshTokenValiditySeconds;
@Value("${oauth2.authorizedGrantTypes:password,authorization_code,refresh_token}")
private String[] authorizedGrantTypes;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public OauthConfiguration(UserDetailsService userService,AuthenticationManager authenticationManager) {
this.userService = userService;
this.authenticationManager = authenticationManager;
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient(clientId)
.secret(bCryptPasswordEncoder.encode(clientSecret))
.accessTokenValiditySeconds(accessTokenValiditySeconds)
.refreshTokenValiditySeconds(refreshTokenValiditySeconds)
.authorizedGrantTypes(authorizedGrantTypes)
.scopes("read","write")
.resourceIds("api");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.accessTokenConverter(accessTokenConverter())
.userDetailsService(userService)
.authenticationManager(authenticationManager);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter tokenConverter = new JwtAccessTokenConverter();
return tokenConverter;
}
}
**And this is resource server**
@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("api");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.antMatchers("/api/signin/**").permitAll()
.anyRequest().authenticated();
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。