到目前为止我对服务器元数据的配置
authorizationServerMetadataEndpoint { authorizationServerMetadataEndpoint ->
authorizationServerMetadataEndpoint.authorizationServerMetadataCustomizer { t ->
t.apply {
authorizationEndpoint(authorizationEndpoint)
tokenEndpoint(tokenEndpoint)
clientRegistrationEndpoint(registrationEndpoint)
issuer(dispatcherServletPath.path)
responseType(responseTypeSupported)
scopesSupported.forEach { scope -> scope(scope) }
tokenIntrospectionEndpoint(introspectionEndpoint)
tokenRevocationEndpoint(revocationEndpoint)
}.build()
}
}
但此定制不适用。当调用 GET http://localhost:8080/.well-known/oauth-authorization-server 时,我得到的是所有默认值,而不是我在上面代码中设置的值。我做错了什么。
完整方法在这里
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
fun serverSecurityFilterChain(
http: HttpSecurity,
authorizationServerSettings: AuthorizationServerSettings, dispatcherServletPath: DispatcherServletPath,
): SecurityFilterChain {
val deviceClientAuthenticationConverter = DeviceClientAuthenticationConverter(
authorizationServerSettings.deviceAuthorizationEndpoint
)
val deviceClientAuthenticationProvider = DeviceClientAuthenticationProvider(registeredClientRepository())
val authorizationServerConfigurer = OAuth2AuthorizationServerConfigurer()
return http.csrf { it.disable() }.authorizeHttpRequests {
it.requestMatchers("/auth/**").permitAll().anyRequest().authenticated()
}.sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
.securityMatcher(authorizationServerConfigurer.endpointsMatcher)
.with(authorizationServerConfigurer) { authorizationServer ->
authorizationServer
.registeredClientRepository(registeredClientRepository())
.authorizationService(authorizationService()).deviceAuthorizationEndpoint {
it.verificationUri("/activate")
}
.deviceVerificationEndpoint { it.consentPage(CONSENT_PAGE_URI) }
.clientAuthentication { clientAuthentication ->
clientAuthentication.authenticationConverter(deviceClientAuthenticationConverter)
.authenticationProvider(deviceClientAuthenticationProvider)
}
.authorizationEndpoint { authorizationEndpoint ->
authorizationEndpoint.consentPage(CONSENT_PAGE_URI)
}
.authorizationServerMetadataEndpoint { authorizationServerMetadataEndpoint ->
authorizationServerMetadataEndpoint.authorizationServerMetadataCustomizer { t ->
t.apply {
authorizationEndpoint(authorizationEndpoint)
tokenEndpoint(tokenEndpoint)
clientRegistrationEndpoint(registrationEndpoint)
issuer(dispatcherServletPath.path)
responseType(responseTypeSupported)
scopesSupported.forEach { scope -> scope(scope) }
tokenIntrospectionEndpoint(introspectionEndpoint)
tokenRevocationEndpoint(revocationEndpoint)
}.build()
}
}.tokenEndpoint {
it.authenticationProvider(authManager())
}.tokenRevocationEndpoint {}.tokenIntrospectionEndpoint {}
.oidc {
it.logoutEndpoint { }.userInfoEndpoint { }.clientRegistrationEndpoint { }
.providerConfigurationEndpoint { }
}
}.exceptionHandling { exceptions ->
exceptions.defaultAuthenticationEntryPointFor(
LoginUrlAuthenticationEntryPoint("/auth/login"), MediaTypeRequestMatcher(MediaType.TEXT_HTML)
)
}.addFilterBefore(jwtAuthorizationFilter, UsernamePasswordAuthenticationFilter::class.java).build()
}
回应是
{
"issuer": "http://localhost:8080",
"authorization_endpoint": "http://localhost:8080/oauth2/authorize",
"device_authorization_endpoint": "http://localhost:8080/oauth2/device_authorization",
"token_endpoint": "http://localhost:8080/oauth2/token",
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"tls_client_auth",
"self_signed_tls_client_auth"
],
"jwks_uri": "http://localhost:8080/oauth2/jwks",
"response_types_supported": [
"code"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:token-exchange"
],
"revocation_endpoint": "http://localhost:8080/oauth2/revoke",
"revocation_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"tls_client_auth",
"self_signed_tls_client_auth"
],
"introspection_endpoint": "http://localhost:8080/oauth2/introspect",
"introspection_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"tls_client_auth",
"self_signed_tls_client_auth"
],
"code_challenge_methods_supported": [
"S256"
],
"tls_client_certificate_bound_access_tokens": true
}
这和我想要的不一样。另外如何更改元数据的url?
自定义
.well-known/openid-configurationproviderConfigurationCustomizer oidc {
c -> c.providerConfigurationEndpoint { p -> p.providerConfigurationCustomizer{
it.issuer(serverMetadata.issuer)
.authorizationEndpoint(serverMetadata.authorizationEndpoint)
.tokenEndpoint(serverMetadata.tokenEndpoint)
.jwkSetUrl(serverMetadata.jwksUri)
.tokenRevocationEndpoint(serverMetadata.revocationEndpoint)
.clientRegistrationEndpoint(serverMetadata.registrationEndpoint)
.tokenRevocationEndpoint(serverMetadata.revocationEndpoint)
} }
}