在Oauth2中使用resourceId的意义是什么？它在代币生成过程中发挥任何作用吗？

如何解决在Oauth2中使用resourceId的意义是什么？它在代币生成过程中发挥任何作用吗？

我正在oauth2中使用密码授予流程。最初，我使用resourceId“ api”注册了客户端并生成了令牌。现在，使用该令牌，我可以访问任何资源。再次，我注册了一个没有resourceId的新客户端，并生成了令牌。使用此令牌，我再次被允许访问任何资源。那么这是否意味着一个令牌可以访问任何资源？或为特定资源生成的令牌只能访问该特定资源。如果是这样，我在做什么错了？

//This is authorization server
@EnableAuthorizationServer
@Configuration
public class OauthConfiguration extends AuthorizationServerConfigurerAdapter {
private final UserDetailsService userService;
private final AuthenticationManager authenticationManager;
@Value("${oauth2.clientId:mobile-app}")
private String clientId;
@Value("${oauth2.clientSecret:mobile123}")
private String clientSecret;
@Value("${oauth2.accessTokenValiditySeconds:43200}") //12 hrs
private int accessTokenValiditySeconds;
@Value("${oauth2.refreshTokenValiditySeconds:2592000}") //30days
private int refreshTokenValiditySeconds;
@Value("${oauth2.authorizedGrantTypes:password,authorization_code,refresh_token}")
private String[] authorizedGrantTypes;

@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public OauthConfiguration(UserDetailsService userService,AuthenticationManager authenticationManager) {
    this.userService = userService;
    this.authenticationManager = authenticationManager;
}

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    security.checkTokenAccess("isAuthenticated()");
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
            .withClient(clientId)
            .secret(bCryptPasswordEncoder.encode(clientSecret))
            .accessTokenValiditySeconds(accessTokenValiditySeconds)
            .refreshTokenValiditySeconds(refreshTokenValiditySeconds)
            .authorizedGrantTypes(authorizedGrantTypes)
            .scopes("read","write")
            .resourceIds("api");
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.accessTokenConverter(accessTokenConverter())
            .userDetailsService(userService)
            .authenticationManager(authenticationManager);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    JwtAccessTokenConverter tokenConverter = new JwtAccessTokenConverter();
    return tokenConverter;
}

}

**And this is resource server**

@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("api");
}

@Override
public void configure(HttpSecurity http) throws Exception {
   http
           .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
           .and()
           .antMatcher("/api/**")
           .authorizeRequests()
           .antMatchers("/api/**").authenticated()
           .antMatchers("/api/signin/**").permitAll()
           .anyRequest().authenticated();
}
}

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。