我们已经实现了使用弹簧的oauth2服务器API。我已经注意到,从服务器的独立设备调用,即使每个用户/客户端ID组合产生同样的道理。这将导致一个问题,我的客户可以运行多个实例:例如, Android和iOS应用。我需要一种方法来标记链接到一个特定的实例,而不是重复使用同样的道理。
其中这是必需的一个例子是用于GCM(或推送通知),其中API需要知道它正在与之通信哪个实例。
这是我目前的Spring配置:
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<oauth:authorization-server
client-details-service-ref="mongoclientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<!-- authorization-endpoint-url="/oauth/authorize" token-endpoint-url="/oauth/token"> -->
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
我不想给每个客户不同的ID因为这将是不切实际的。有任何想法吗?
所以DefaultAuthenticationKeyGeneration使用client_id,并scope创建key,如果在匹配请求获得令牌它提供了之前生成的令牌。所以你的情况,你可以有IOS,Android和作用域设备ID。
这里是我的代码。
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
.....
@Override
public void configure(ClientDetailsServiceConfigurer clients) {
clients.inMemory()
.withClient("my-trusted-client-with-secret")
.authorizedGrantTypes("client_credentials")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
//.scopes("read", "write", "trust")
.secret("somesecret")
.accessTokenValiditySeconds(3600);
}
}
测试
» curl -H "Accept: application/json" my-trusted-client-with-secret:somesecret@localhost:8080/auth/oauth/token -d grant_type=client_credentials -d custid=1 -d siteid=2D -d scope="y"
{"access_token":"cust:site1:2D","token_type":"bearer","expires_in":3282,"scope":"y"}%
» curl -H "Accept: application/json" my-trusted-client-with-secret:somesecret@localhost:8080/auth/oauth/token -d grant_type=client_credentials -d custid=1 -d siteid=3D -d scope="z"
{"access_token":"cust:site1:3D","token_type":"bearer","expires_in":3290,"scope":"z"}%
» curl -H "Authorization: Bearer cust:site:3D" http://localhost:8080/dtn-auth/home
{"error":"invalid_token","error_description":"Invalid access token: cust:site:3D"}%
» curl -H "Authorization: Bearer cust:site1:3D" http://localhost:8080/dtn-auth/home
Hello World%
» curl -H "Authorization: Bearer cust:site1:2D" http://localhost:8080/dtn-auth/home
Hello World%
正如你看到的我是能够产生相同的CLIENT_ID和这两个标记认证从资源服务器访问资源的多个令牌。
我认为,你可以在你的请求,设备ID和每个ID生成令牌或者你可以得到确定设备的调用您的API像(安卓,IOS),并为每个平台生成令牌的类型标志。