|
|
@@ -62,7 +62,6 @@ import org.springframework.security.core.context.SecurityContext;
|
|
|
import org.springframework.security.core.context.SecurityContextHolder;
|
|
|
import org.springframework.security.core.userdetails.UserDetailsService;
|
|
|
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
|
|
|
-import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
|
|
|
import org.springframework.security.web.DefaultSecurityFilterChain;
|
|
|
import org.springframework.security.web.PortMapper;
|
|
|
import org.springframework.security.web.PortMapperImpl;
|
|
|
@@ -899,149 +898,92 @@ public final class HttpSecurity extends
|
|
|
}
|
|
|
|
|
|
/**
|
|
|
- * Configures authentication against an external <i>OAuth 2.0</i> or <i>OpenID Connect 1.0</i> Provider.
|
|
|
+ * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
|
|
|
* <br>
|
|
|
* <br>
|
|
|
*
|
|
|
- * The <i>"authentication flow"</i> is realized using the <b>Authorization Code Grant</b>,
|
|
|
- * as specified in the <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">OAuth 2.0 Authorization Framework</a>.
|
|
|
+ * The "authentication flow" is implemented using the <b>Authorization Code Grant</b>, as specified in the
|
|
|
+ * <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">OAuth 2.0 Authorization Framework</a>
|
|
|
+ * and <a target="_blank" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth">OpenID Connect Core 1.0</a>
|
|
|
+ * specification.
|
|
|
* <br>
|
|
|
* <br>
|
|
|
*
|
|
|
- * As a prerequisite to using this feature, the developer must register a <i>Client</i> with an <i>Authorization Server</i>.
|
|
|
- * The output of the <i>Client Registration</i> process results in a number of properties that are then used for configuring
|
|
|
- * an instance of a {@link org.springframework.security.oauth2.client.registration.ClientRegistration}.
|
|
|
- * Properties specific to a <i>Client</i> include: <i>client_id</i>, <i>client_secret</i>, <i>scope</i>, <i>redirect_uri</i>, etc.
|
|
|
- * There are also properties specific to the <i>Provider</i>, for example,
|
|
|
- * <i>Authorization Endpoint URI</i>, <i>Token Endpoint URI</i>, <i>UserInfo Endpoint URI</i>, etc.
|
|
|
- * <br>
|
|
|
- * <br>
|
|
|
- *
|
|
|
- * Multiple client support is provided for use cases where the application provides the user the option
|
|
|
- * for <i>"Logging in"</i> against one or more Providers, for example, <i>Google</i>, <i>GitHub</i>, <i>Facebook</i>, etc.
|
|
|
+ * As a prerequisite to using this feature, you must register a client with a provider.
|
|
|
+ * The client registration information may than be used for configuring
|
|
|
+ * a {@link org.springframework.security.oauth2.client.registration.ClientRegistration} using a
|
|
|
+ * {@link org.springframework.security.oauth2.client.registration.ClientRegistration.Builder}.
|
|
|
* <br>
|
|
|
* <br>
|
|
|
*
|
|
|
* {@link org.springframework.security.oauth2.client.registration.ClientRegistration}(s) are composed within a
|
|
|
- * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository}.
|
|
|
- * An instance of {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository} is <b>required</b>
|
|
|
- * and may be supplied via the {@link ApplicationContext} or configured using
|
|
|
- * {@link OAuth2LoginConfigurer#clientRegistrationRepository(org.springframework.security.oauth2.client.registration.ClientRegistrationRepository)}.
|
|
|
+ * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository},
|
|
|
+ * which is <b>required</b> and must be registered with the {@link ApplicationContext} or
|
|
|
+ * configured via <code>oauth2Login().clientRegistrationRepository(..)</code>.
|
|
|
* <br>
|
|
|
* <br>
|
|
|
*
|
|
|
* The default configuration provides an auto-generated login page at <code>"/login"</code> and
|
|
|
* redirects to <code>"/login?error"</code> when an authentication error occurs.
|
|
|
- * The login page will display each of the clients (composed within the
|
|
|
- * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository})
|
|
|
- * with an anchor link to <code>"/oauth2/authorization/code/{clientAlias}"</code>.
|
|
|
- * Clicking through the link will initiate the <i>"Authorization Request"</i> flow
|
|
|
- * redirecting the end-user's user-agent to the <i>Authorization Endpoint</i> of the <i>Provider</i>.
|
|
|
- * Assuming the <i>Resource Owner</i> (end-user) grants the <i>Client</i> access, the <i>Authorization Server</i>
|
|
|
- * will redirect the end-user's user-agent to the <i>Redirection Endpoint</i> containing the <i>Authorization Code</i>
|
|
|
- * - the <i>Redirection Endpoint</i> is automatically configured for the application and
|
|
|
- * defaults to <code>"/oauth2/authorize/code/{clientAlias}"</code>.
|
|
|
+ * The login page will display each of the clients with a link
|
|
|
+ * that is capable of initiating the "authentication flow".
|
|
|
+ * <br>
|
|
|
+ * <br>
|
|
|
*
|
|
|
* <p>
|
|
|
- * At this point in the <i>"authentication flow"</i>, the configured
|
|
|
- * {@link OAuth2AccessTokenResponseClient}
|
|
|
- * will getTokenResponse the <i>Authorization Code</i> for an <i>Access Token</i> and then use it to access the protected resource
|
|
|
- * at the <i>UserInfo Endpoint</i> in order to retrieve the details of the <i>Resource Owner</i> (end-user) and establish the
|
|
|
- * <i>"authenticated"</i> session.
|
|
|
- *
|
|
|
- * <h2>Example Configurations</h2>
|
|
|
+ * <h2>Example Configuration</h2>
|
|
|
*
|
|
|
- * The minimal configuration defaults to automatically generating a login page at <code>"/login"</code>
|
|
|
- * and redirecting to <code>"/login?error"</code> when an authentication error occurs or redirecting to
|
|
|
- * <code>"/"</code> when an authenticated session is established.
|
|
|
+ * The following example shows the minimal configuration required, using Google as the Authentication Provider.
|
|
|
*
|
|
|
* <pre>
|
|
|
- * @EnableWebSecurity
|
|
|
- * public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
- *
|
|
|
- * @Override
|
|
|
- * protected void configure(HttpSecurity http) throws Exception {
|
|
|
- * http
|
|
|
- * .authorizeRequests()
|
|
|
- * .anyRequest().authenticated()
|
|
|
- * .and()
|
|
|
- * .oauth2Login();
|
|
|
- * }
|
|
|
- *
|
|
|
- * @Bean
|
|
|
- * public ClientRegistrationRepository clientRegistrationRepository() {
|
|
|
- * // ClientRegistrationRepositoryImpl must be composed of at least one ClientRegistration instance
|
|
|
- * return new ClientRegistrationRepositoryImpl();
|
|
|
+ * @Configuration
|
|
|
+ * public class OAuth2LoginConfig {
|
|
|
+ *
|
|
|
+ * @EnableWebSecurity
|
|
|
+ * public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
+ * @Override
|
|
|
+ * protected void configure(HttpSecurity http) throws Exception {
|
|
|
+ * http
|
|
|
+ * .authorizeRequests()
|
|
|
+ * .anyRequest().authenticated()
|
|
|
+ * .and()
|
|
|
+ * .oauth2Login();
|
|
|
+ * }
|
|
|
* }
|
|
|
- * }
|
|
|
- * </pre>
|
|
|
- *
|
|
|
- * The following shows the configuration options available for customizing the defaults.
|
|
|
- *
|
|
|
- * <pre>
|
|
|
- * @EnableWebSecurity
|
|
|
- * public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
- *
|
|
|
- * @Override
|
|
|
- * protected void configure(HttpSecurity http) throws Exception {
|
|
|
- * http
|
|
|
- * .authorizeRequests()
|
|
|
- * .anyRequest().authenticated()
|
|
|
- * .and()
|
|
|
- * .oauth2Login()
|
|
|
- * .clientRegistrationRepository(this.clientRegistrationRepository())
|
|
|
- * .authorizationRequestUriBuilder(this.authorizationRequestUriBuilder())
|
|
|
- * .accessTokenResponseClient(this.accessTokenResponseClient())
|
|
|
- * .userInfoEndpoint()
|
|
|
- * .userInfoService(this.userInfoService())
|
|
|
- * .userInfoEndpoint()
|
|
|
- * // Provide a mapping between a Converter implementation and a UserInfo Endpoint URI
|
|
|
- * .userInfoTypeConverter(this.userInfoConverter(),
|
|
|
- * new URI("https://www.googleapis.com/oauth2/v3/userinfo"));
|
|
|
- * }
|
|
|
*
|
|
|
* @Bean
|
|
|
* public ClientRegistrationRepository clientRegistrationRepository() {
|
|
|
- * // ClientRegistrationRepositoryImpl must be composed of at least one ClientRegistration instance
|
|
|
- * return new ClientRegistrationRepositoryImpl();
|
|
|
+ * return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
|
|
|
* }
|
|
|
*
|
|
|
- * @Bean
|
|
|
- * public AuthorizationRequestUriBuilder authorizationRequestUriBuilder() {
|
|
|
- * // Custom URI builder for the "Authorization Request"
|
|
|
- * return new AuthorizationRequestUriBuilderImpl();
|
|
|
- * }
|
|
|
- *
|
|
|
- * @Bean
|
|
|
- * public OAuth2AccessTokenResponseClient<OAuth2LoginAuthenticationToken> accessTokenResponseClient() {
|
|
|
- * // Custom implementation that exchanges an "Authorization Code Grant" for an "Access Token"
|
|
|
- * return new AuthorizationCodeTokenExchangerImpl();
|
|
|
- * }
|
|
|
- *
|
|
|
- * @Bean
|
|
|
- * public OAuth2UserService userInfoService() {
|
|
|
- * // Custom implementation that retrieves the details of the authenticated user at the "UserInfo Endpoint"
|
|
|
- * return new OAuth2UserServiceImpl();
|
|
|
- * }
|
|
|
- *
|
|
|
- * @Bean
|
|
|
- * public Converter<ClientHttpResponse, UserInfo> userInfoConverter() {
|
|
|
- * // Default converter implementation for UserInfo
|
|
|
- * return new org.springframework.security.oauth2.client.user.converter.UserInfoConverter();
|
|
|
- * }
|
|
|
+ * private ClientRegistration googleClientRegistration() {
|
|
|
+ * return ClientRegistration.withRegistrationId("google")
|
|
|
+ * .clientId("google-client-id")
|
|
|
+ * .clientSecret("google-client-secret")
|
|
|
+ * .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
|
|
|
+ * .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
|
|
|
+ * .redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}")
|
|
|
+ * .scope("openid", "profile", "email", "address", "phone")
|
|
|
+ * .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
|
|
|
+ * .tokenUri("https://www.googleapis.com/oauth2/v4/token")
|
|
|
+ * .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
|
|
|
+ * .userNameAttributeName(IdTokenClaimNames.SUB)
|
|
|
+ * .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
|
|
|
+ * .clientName("Google")
|
|
|
+ * .build();
|
|
|
+ * }
|
|
|
* }
|
|
|
* </pre>
|
|
|
*
|
|
|
+ * <p>
|
|
|
+ * For more advanced configuration, see {@link OAuth2LoginConfigurer} for available options to customize the defaults.
|
|
|
+ *
|
|
|
* @author Joe Grandja
|
|
|
* @since 5.0
|
|
|
- * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant Flow</a>
|
|
|
- * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Request</a>
|
|
|
- * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.2">Section 4.1.2 Authorization Response</a>
|
|
|
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant</a>
|
|
|
+ * @see <a target="_blank" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth">Section 3.1 Authorization Code Flow</a>
|
|
|
* @see org.springframework.security.oauth2.client.registration.ClientRegistration
|
|
|
* @see org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
|
|
|
- * @see OAuth2AccessTokenResponseClient
|
|
|
- * @see org.springframework.security.oauth2.client.user.OAuth2UserService
|
|
|
- *
|
|
|
* @return the {@link OAuth2LoginConfigurer} for further customizations
|
|
|
* @throws Exception
|
|
|
*/
|
Joe Grandja