Question

我使用Spring Security和Oauth 2.0身份验证协议来保护REST服务。

我已经实施了MVC Spring应用程序并且它运行良好。客户端通过提供客户端凭证（client_id＆amp; client_secret）＆amp ;;来请求服务器获取AccessToken。用户凭证（用户名和密码）调用outh / token服务，该服务定义在servlet-config.xml中：

<http pattern="/oauth/token" create-session="stateless"
    authentication-manager-ref="clientAuthenticationManager"
    xmlns="http://www.springframework.org/schema/security" > 
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <anonymous enabled="false" />
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" />
 </http>

如果凭据有效，客户端将获得如下响应的访问令牌：

{
    "value": "b663f10d-553d-445b-afde-e9cd84066a1c",
    "expiration": 1406598295994,
    "tokenType": "bearer",
    "refreshToken": {
        "value": "36737abf-24bd-4b86-ad22-601f4d5cdee4",
        "expiration": 1408890295994
    },
    "scope": [],
    "additionalInformation": {},
    "expiresIn": 299999,
    "expired": false
}

我想要一个包含用户详细信息的响应：

{
        "value": "b663f10d-553d-445b-afde-e9cd84066a1c",
        "expiration": 1406598295994,
        "tokenType": "bearer",
        "refreshToken": {
            "value": "36737abf-24bd-4b86-ad22-601f4d5cdee4",
            "expiration": 1408890295994
        },

        "additionalInformation": {},
        "expiresIn": 299999,
        "expired": false,

        "USER_ID": "1",
        "USER_ROLE": "admin",
        "OTHER DATA..."
    }

有谁知道实现这个的方法？

我一直在谷歌搜索，但我还没有找到一个实现类似场景的例子。如果这个问题听起来很愚蠢，我很抱歉，但我在Spring Security中是一个非常新的问题。

Answer 1

这就是我实现类似于你的场景的方式。

1）创建自定义令牌增强器：

public class CustomTokenEnhancer implements TokenEnhancer {

    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {

        final Map<String, Object> additionalInfo = new HashMap<>();

        User user = (User) authentication.getPrincipal();

        additionalInfo.put("user_id", user.getId());
        additionalInfo.put("business_id", user.getBusinessId());

        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);

        return accessToken;
    }

}

2）配置中的用户自定义令牌增强器。

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints
        .tokenStore(tokenStore())
        .tokenEnhancer(tokenEnhancerChain())
        .authenticationManager(authenticationManager)
        .accessTokenConverter(jwtAccessTokenConverter());
}

/**
 * Creates a chain of the list of token enhancers.
 * @return
 * 
 * @since 0.0.1
 * 
 * @author Anil Bharadia
 */
public TokenEnhancerChain tokenEnhancerChain() {
    TokenEnhancerChain chain = new TokenEnhancerChain();
    chain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter()));
    return chain;
}

/**
 * Get the new instance of the token enhancer.
 * @return
 */
@Bean
public TokenEnhancer tokenEnhancer() {
    return new CustomTokenEnhancer();
}

就是这样。下次您请求令牌时，您将获得附加信息。

Spring Security OAuth 2：如何在oauth / token请求后获取访问令牌和其他数据

1 个答案: