JWT_BEARER flow/ jwk
shengzhaoli.shengz
parent
8e51d97872
commit
8b109ed37e
|
|
@ -41,9 +41,9 @@ public class ClientSettingsDto implements Serializable {
|
|||
|
||||
/**
|
||||
* 若client有自定义的 jwk URL,
|
||||
* 则填写, null表示用默认的
|
||||
* <p>
|
||||
* todo: v3.0.0不提供自定义设置
|
||||
* 则填写, jwt-bearer流程中会使用到(OAuth2.1新增)
|
||||
*
|
||||
* @since 3.0.0
|
||||
*/
|
||||
private String jwkSetUrl;
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,25 @@
|
|||
package com.monkeyk.sos.web.controller;
|
||||
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
/**
|
||||
* 2023/10/24 16:24
|
||||
* <p>
|
||||
* grant_type=jwt-bearer 中的 jwkSetUrl 实现参考
|
||||
* <p>
|
||||
* todo: 此实现仅供参考;实际生产时应该由client端应用提供
|
||||
*
|
||||
* @author Shengzhao Li
|
||||
* @since 3.0.0
|
||||
*/
|
||||
@RestController
|
||||
public class JwtBearerJwksController {
|
||||
|
||||
|
||||
@GetMapping("/oauth2/jwt_bearer/jwks")
|
||||
public void jwks() {
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -83,7 +83,11 @@
|
|||
</label>
|
||||
<br/>
|
||||
<em class="label label-success">OAuth2.1新增</em>
|
||||
<p class="help-block">选择在认证时支持传递<em>client_secret</em>参数的方式;在正式环境中,此值一般不需要选择而是由后台创建时根据业务设置即可</p>
|
||||
<p class="help-block">
|
||||
选择在认证时支持传递<em>client_secret</em>参数的方式;在正式环境中,此值一般不需要选择而是由后台创建时根据业务设置即可;
|
||||
<br/>
|
||||
<code>client_secret_jwt</code>与<code>private_key_jwt</code>只在grant_type=jwt-bearer中会使用到
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
|
@ -145,7 +149,10 @@
|
|||
th:field="*{authorizationGrantTypes}"/> refresh_token
|
||||
</label>
|
||||
|
||||
<p class="help-block">至少勾选一项grant_type(s), 且不能只单独勾选<code>refresh_token</code></p>
|
||||
<p class="help-block">
|
||||
至少勾选一项grant_type(s), 且不能只单独勾选<code>refresh_token</code>; 当勾选<code>jwt-bearer</code>时需要将'authentication_methods'中的
|
||||
<em>client_secret_jwt</em>与<em>private_key_jwt</em>至少勾选一个
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
|
@ -215,7 +222,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="easa" class="col-sm-2 control-label">获取token认证签名算法</label>
|
||||
<label for="easa" class="col-sm-2 control-label">认证jwt签名算法</label>
|
||||
|
||||
<div class="col-sm-10">
|
||||
<select id="easa" th:name="clientSettings.tokenEndpointAuthenticationSigningAlgorithm"
|
||||
|
|
@ -227,9 +234,22 @@
|
|||
</select>
|
||||
|
||||
<p class="help-block">选择在调用<em>/oauth2/token</em>
|
||||
API时使用的签名算法(当grant_type为jwt-bearer时会用到);注意:支持的算法要有对应用<em>jwk</em> (jwks.json
|
||||
文件),判断支持哪些key可访问
|
||||
<a th:href="@{/.well-known/openid-configuration}" target="_blank">/.well-known/openid-configuration</a>进行查看
|
||||
API时使用的签名算法(当grant_type为jwt-bearer时会用到);<code>HS256</code>是对称算法(secret是client_secret加密后的值),
|
||||
<code>RS256</code>与<code>ES256</code>是非对称算法(public-key由提供的<em>jwk_set_url</em>获取)
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="jwkSetUrl" class="col-sm-2 control-label">jwk_set_url</label>
|
||||
|
||||
<div class="col-sm-10">
|
||||
<input type="text" class="form-control" th:name="clientSettings.jwkSetUrl"
|
||||
id="jwkSetUrl" placeholder="https://..." th:field="*{clientSettings.jwkSetUrl}"/>
|
||||
|
||||
<p class="help-block">
|
||||
设置client提供的获取jwk的URL地址(当grant_type为jwt-bearer且'认证jwt签名算法'选择<code>RS256</code>或<code>ES256</code>时会用到);
|
||||
此URL返回的jwk格式要与<em>spring-oauth-server</em>提供的<a th:href="@{/oauth2/jwks}" target="_blank">jwks</a>一致
|
||||
(参考实现类<code>JwtBearerJwksController.java</code>)
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@ import org.junit.jupiter.api.Test;
|
|||
|
||||
import java.time.Instant;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertNotNull;
|
||||
|
||||
|
|
@ -72,6 +70,7 @@ public class JwtBearerFlowTest {
|
|||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue