Spring Security OAuth 2.0 – 授权代码授予始终需要客户端密钥

根据规范,只要client_id包含在请求中并且client_id与用于生成代码的client_id相同,就不需要对使用授权代码授权的令牌的请求进行认证.但是,使用Spring Security OAuth 2.0实现,即使从未为客户端分配了密钥,似乎始终需要/ oauth / token端点上的基本身份验证.

由于ClientDetails接口中的isSecretRequired()方法,看起来支持允许没有秘密的客户端.我需要做些什么来启用没有秘密的客户端在/ oauth / token URL上进行身份验证?

4.1.3. Access Token Request

The client makes a request to the token endpoint by sending the
following parameters using the “application/x-www-form-urlencoded”
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:

grant_type
REQUIRED. Value MUST be set to “authorization_code”.

code
REQUIRED. The authorization code received from the
authorization server.

redirect_uri
REQUIRED, if the “redirect_uri” parameter was included in the
authorization request as described in Section 4.1.1, and their
values MUST be identical.

client_id
REQUIRED, if the client is not authenticating with the
authorization server as described in Section 3.2.1.

If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.

最佳答案
使用表单参数而不是基本身份验证来验证客户端是使用allowFormAuthenticationForClients()方法启用的,如下面的代码示例所示.

class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {

    @Override
    void configure(AuthorizationServerSecurityConfigurer security) {
        security
                .tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()")
                .allowFormAuthenticationForClients()
    }
}

allowFormAuthenticationForClients()方法触发添加ClientCredentialsTokenEndpointFilter,允许通过表单参数进行身份验证.

转载注明原文:Spring Security OAuth 2.0 – 授权代码授予始终需要客户端密钥 - 代码日志