diff --git a/demo-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java b/demo-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java index 5f792b8..df4ecd0 100644 --- a/demo-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java +++ b/demo-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java @@ -15,12 +15,21 @@ */ package sample.config; +import java.util.Collections; +import java.util.Set; import java.util.UUID; +import java.util.stream.Collectors; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.RSAKey; import com.nimbusds.jose.jwk.source.JWKSource; import com.nimbusds.jose.proc.SecurityContext; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames; +import org.springframework.security.oauth2.server.authorization.*; +import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext; +import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer; import sample.jose.Jwks; import org.springframework.context.annotation.Bean; @@ -38,10 +47,6 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.jwt.JwtDecoder; -import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService; -import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService; -import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService; -import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; @@ -49,8 +54,6 @@ import org.springframework.security.oauth2.server.authorization.config.annotatio import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; -import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext; -import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher; @@ -74,21 +77,12 @@ public class AuthorizationServerConfig { public SecurityFilterChain authorizationServerSecurityFilterChain( HttpSecurity http, RegisteredClientRepository registeredClientRepository, AuthorizationServerSettings authorizationServerSettings) throws Exception { - OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); - - - - // @formatter:off http.getConfigurer(OAuth2AuthorizationServerConfigurer.class) .authorizationEndpoint(authorizationEndpoint -> authorizationEndpoint.consentPage(CUSTOM_CONSENT_PAGE_URI)) .oidc(Customizer.withDefaults()); // Enable OpenID Connect 1.0 - // @formatter:on - - // @formatter:off - http - .exceptionHandling((exceptions) -> exceptions + http.exceptionHandling((exceptions) -> exceptions .defaultAuthenticationEntryPointFor( new LoginUrlAuthenticationEntryPoint("/login"), new MediaTypeRequestMatcher(MediaType.TEXT_HTML) @@ -96,7 +90,6 @@ public class AuthorizationServerConfig { ) .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt(Customizer.withDefaults())); - // @formatter:on return http.build(); } @@ -120,21 +113,9 @@ public class AuthorizationServerConfig { .scope("message.write") .clientSettings(ClientSettings.builder().requireAuthorizationConsent(false).build())//requireAuthorizationConsent(true) 授权页是有的 如果是false是没有的 .build(); - - RegisteredClient deviceClient = RegisteredClient.withId(UUID.randomUUID().toString()) - .clientId("device-messaging-client") - .clientAuthenticationMethod(ClientAuthenticationMethod.NONE) - .authorizationGrantType(AuthorizationGrantType.DEVICE_CODE) - .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) - .scope("message.read") - .scope("message.write") - .build(); - // Save registered client's in db as if in-memory JdbcRegisteredClientRepository registeredClientRepository = new JdbcRegisteredClientRepository(jdbcTemplate); registeredClientRepository.save(registeredClient); - registeredClientRepository.save(deviceClient); - return registeredClientRepository; } // @formatter:on @@ -162,6 +143,27 @@ public class AuthorizationServerConfig { return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet); } + @Bean + public OAuth2TokenCustomizer jwtTokenCustomizer() { + return (context) -> { + if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) { + context.getClaims().claims((claims) -> { + Set roles = AuthorityUtils.authorityListToSet(context.getPrincipal().getAuthorities()) + .stream() + .map(c -> c.replaceFirst("^ROLE_", "")) + .collect(Collectors.collectingAndThen(Collectors.toSet(), Collections::unmodifiableSet)); + claims.put("roles", roles); + }); + } + if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) { + context.getClaims().claims((claims) -> { + claims.put("claim-1", "value-1"); + claims.put("claim-2", "value-2"); + }); + } + }; + } + @Bean public JwtDecoder jwtDecoder(JWKSource jwkSource) { return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);