(1) The function of resource_id

Spring Security OAuth2 is architecturally divided into Authorization Server and Resource Server. We can set a ResourceID for each Resource Server (a microservice instance). When the Authorization Server authorizes a third-party client, you can specify which Resource servers the client can access. If the Authorization Server is not specified, the client has the access permission for all Resource servers.

ResourceServer how to set ResourceID

Set the resourceId on each ResourceServer instance as a unique identifier for the service resource. (If multiple microservice resources are deployed with the same resourceId)

@Configuration @EnableResourceServer public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter { private  static final String DEMO_RESOURCE_ID = "test-resource"; @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(DEMO_RESOURCE_ID) / /... There can also be other configurations}}Copy the code

AuthorizationServer how to set ResourceIDs

The purpose of configuring a ResourceID for an AuthorizationServer client is to limit the resource services that a client can access.

@ Override public void the configure (ClientDetailsServiceConfigurer clients) throws the Exception {/ / client is configured to store the db instead of the original memory mode JdbcClientDetailsService clientDetailsService = new JdbcClientDetailsService(dataSource); clientDetailsService.setPasswordEncoder(passwordEncoder); clients.withClientDetails(clientDetailsService); }Copy the code

Here you need to use the JdbcClientDetailsService class and the database table oAUTH_client_DETAILS for configured persistent storage, as well as dynamic configuration.

Where is ResourceID validated

The ResourceID is of course validated on the Resource Server (I can verify that you can access my Resource). When a Resource request is sent to the Resource Server, it carries an Access_Token. The Resource Server then finds the Resource_IDS that the client can access based on the Access_Token. If resource_ids contains ResourceServer setting the ResourceID itself, the pass is over and you can continue with other permission validations.

  • @ EnableResourceServer will give Spring Security FilterChan add a OAuth2AuthenticationProcessingFilter filter, filter all the resource request.
  • OAuth2AuthenticationProcessingFilter OAuth2AuthenticationManager is used to verify the token. The oauth_client_details table loads client configuration information during Token authentication.

If the AuthorizationServer authenticates client1 to have access to test-resource, but client1 has access to oauth-RS, it responds with the following message:

{"error":"access_denied","error_description":"Invalid token does not contain resource id (oauth-rs)"}Copy the code

Specific implementation resource_id validation source: OAuth2AuthenticationManager # authenticate (Authentication Authentication)

public Authentication authenticate(Authentication authentication) throws AuthenticationException { if (authentication ==  null) { throw new InvalidTokenException("Invalid token (token not found)"); } String token = (String) authentication.getPrincipal(); OAuth2Authentication auth = tokenServices.loadAuthentication(token); if (auth == null) { throw new InvalidTokenException("Invalid token: " + token); } Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds(); if (resourceId ! = null && resourceIds ! = null && ! resourceIds.isEmpty() && ! resourceIds.contains(resourceId)) { throw new OAuth2AccessDeniedException("Invalid token does not contain resource id ("  + resourceId + ")"); } checkClientDetails(auth); if (authentication.getDetails() instanceof OAuth2AuthenticationDetails) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails(); // Guard against a cached copy of the same details if (! details.equals(auth.getDetails())) { // Preserve the authentication details from the one loaded by token services details.setDecodedDetails(auth.getDetails()); } } auth.setDetails(authentication.getDetails()); auth.setAuthenticated(true); return auth; }Copy the code

The following paragraph is where the resourceID is validated

Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds(); if (resourceId ! = null && resourceIds ! = null && ! resourceIds.isEmpty() && ! resourceIds.contains(resourceId)) { throw new OAuth2AccessDeniedException("Invalid token does not contain resource id ("  + resourceId + ")"); }Copy the code

In the Spring Security FilterChain OAuth2AuthenticationProcessingFilter in front of the FilterSecurityInterceptor, Therefore, the client will first verify whether the client has the permission for this resource. Only when the client has the permission for this resource, the client will perform further verification.

Welcome to my blog, where there are many fine collections

  • This article is reprinted with a credit (must be accompanied by a link, not only the text) : Antetokounmpo blog.

Feel helpful to you, help me like, share! Your support is my inexhaustible creative power! . In addition, the author recently a period of time output as follows boutique content, looking forward to your attention.

  • Spring Boot2.0 by Hand
  • Spring Security- JWT-OAUTH2
  • RBAC Authority Management System for Actual Combat Front-end and Back-end Separation
  • “Actual SpringCloud Micro-service from Bronze to King”
  • VUE Series