首页 发现 帮助
注册 登录
github
/
spring-security
镜像自地址 https://github.com/spring-projects/spring-security
2
0
派生 0
文件 工单管理 0 Wiki
目录树: b95e63ecc6
分支列表 标签列表
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
oauth2
/
client
/
client-authentication.adoc

client-authentication.adoc 11 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319 
  1. [[oauth2-client-authentication]]
    2. 

  2. = [[oauth2Client-client-auth-support]]Client Authentication Support
    3. 

  3. 

  4. [[oauth2-client-authentication-client-credentials]]
    5. 

  5. == [[oauth2Client-client-credentials-auth]]Client Credentials
    6. 

  6. 

  7. [[oauth2-client-authentication-client-credentials-client-secret-basic]]
    8. 

  8. === Authenticate using `client_secret_basic`
    9. 

  9. 

  10. Client Authentication with HTTP Basic is supported out of the box and no customization is necessary to enable it.
    11. 

  11. The default implementation is provided by `DefaultOAuth2TokenRequestHeadersConverter`.
    12. 

  12. 

  13. Given the following Spring Boot properties for an OAuth 2.0 client registration:
    14. 

  14. 

  15. [source,yaml]
    16. 

  16. ----
    17. 

  17. spring:
    18. 

  18.   security:
    19. 

  19.     oauth2:
    20. 

  20.       client:
    21. 

  21.         registration:
    22. 

  22.           okta:
    23. 

  23.             client-id: client-id
    24. 

  24.             client-secret: client-secret
    25. 

  25.             client-authentication-method: client_secret_basic
    26. 

  26.             authorization-grant-type: authorization_code
    27. 

  27.             ...
    28. 

  28. ----
    29. 

  29. 

  30. The following example shows how to configure `DefaultAuthorizationCodeTokenResponseClient` to disable URL encoding of the client credentials:
    31. 

  31. 

  32. [tabs]
    33. 

  33. ======
    34. 

  34. Java::
    35. 

  35. +
    36. 

  36. [source,java,role="primary"]
    37. 

  37. ----
    38. 

  38. DefaultOAuth2TokenRequestHeadersConverter<OAuth2AuthorizationCodeGrantRequest> headersConverter =
    39. 

  39. 		new DefaultOAuth2TokenRequestHeadersConverter<>();
    40. 

  40. headersConverter.setEncodeClientCredentials(false);
    41. 

  41. 

  42. OAuth2AuthorizationCodeGrantRequestEntityConverter requestEntityConverter =
    43. 

  43. 		new OAuth2AuthorizationCodeGrantRequestEntityConverter();
    44. 

  44. requestEntityConverter.setHeadersConverter(headersConverter);
    45. 

  45. 

  46. DefaultAuthorizationCodeTokenResponseClient tokenResponseClient =
    47. 

  47. 		new DefaultAuthorizationCodeTokenResponseClient();
    48. 

  48. tokenResponseClient.setRequestEntityConverter(requestEntityConverter);
    49. 

  49. ----
    50. 

  50. 

  51. Kotlin::
    52. 

  52. +
    53. 

  53. [source,kotlin,role="secondary"]
    54. 

  54. ----
    55. 

  55. val headersConverter = DefaultOAuth2TokenRequestHeadersConverter<OAuth2AuthorizationCodeGrantRequest>()
    56. 

  56. headersConverter.setEncodeClientCredentials(false)
    57. 

  57. 

  58. val requestEntityConverter = OAuth2AuthorizationCodeGrantRequestEntityConverter()
    59. 

  59. requestEntityConverter.setHeadersConverter(headersConverter)
    60. 

  60. 

  61. val tokenResponseClient = DefaultAuthorizationCodeTokenResponseClient()
    62. 

  62. tokenResponseClient.setRequestEntityConverter(requestEntityConverter)
    63. 

  63. ----
    64. 

  64. ======
    65. 

  65. 

  66. [[oauth2-client-authentication-client-credentials-client-secret-post]]
    67. 

  67. === Authenticate using `client_secret_post`
    68. 

  68. 

  69. Client Authentication with client credentials included in the request-body is supported out of the box and no customization is necessary to enable it.
    70. 

  70. 

  71. The following Spring Boot properties for an OAuth 2.0 client registration demonstrate the configuration:
    72. 

  72. 

  73. [source,yaml]
    74. 

  74. ----
    75. 

  75. spring:
    76. 

  76.   security:
    77. 

  77.     oauth2:
    78. 

  78.       client:
    79. 

  79.         registration:
    80. 

  80.           okta:
    81. 

  81.             client-id: client-id
    82. 

  82.             client-secret: client-secret
    83. 

  83.             client-authentication-method: client_secret_post
    84. 

  84.             authorization-grant-type: authorization_code
    85. 

  85.             ...
    86. 

  86. ----
    87. 

  87. 

  88. [[oauth2-client-authentication-jwt-bearer]]
    89. 

  89. == [[oauth2Client-jwt-bearer-auth]]JWT Bearer
    90. 

  90. 

  91. [NOTE]
    92. 

  92. ====
    93. 

  93. Please refer to JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants for further details on https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer] Client Authentication.
    94. 

  94. ====
    95. 

  95. 

  96. The default implementation for JWT Bearer Client Authentication is `NimbusJwtClientAuthenticationParametersConverter`,
    97. 

  97. which is a `Converter` that customizes the Token Request parameters by adding
    98. 

  98. a signed JSON Web Token (JWS) in the `client_assertion` parameter.
    99. 

  99. 

  100. The `java.security.PrivateKey` or `javax.crypto.SecretKey` used for signing the JWS
    101. 

  101. is supplied by the `com.nimbusds.jose.jwk.JWK` resolver associated with `NimbusJwtClientAuthenticationParametersConverter`.
    102. 

  102. 

  103. [[oauth2-client-authentication-jwt-bearer-private-key-jwt]]
    104. 

  104. === Authenticate using `private_key_jwt`
    105. 

  105. 

  106. Given the following Spring Boot properties for an OAuth 2.0 Client registration:
    107. 

  107. 

  108. [source,yaml]
    109. 

  109. ----
    110. 

  110. spring:
    111. 

  111.   security:
    112. 

  112.     oauth2:
    113. 

  113.       client:
    114. 

  114.         registration:
    115. 

  115.           okta:
    116. 

  116.             client-id: okta-client-id
    117. 

  117.             client-authentication-method: private_key_jwt
    118. 

  118.             authorization-grant-type: authorization_code
    119. 

  119.             ...
    120. 

  120. ----
    121. 

  121. 

  122. The following example shows how to configure `DefaultAuthorizationCodeTokenResponseClient`:
    123. 

  123. 

  124. [tabs]
    125. 

  125. ======
    126. 

  126. Java::
    127. 

  127. +
    128. 

  128. [source,java,role="primary"]
    129. 

  129. ----
    130. 

  130. Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
    131. 

  131. 	if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
    132. 

  132. 		// Assuming RSA key type
    133. 

  133. 		RSAPublicKey publicKey = ...
    134. 

  134. 		RSAPrivateKey privateKey = ...
    135. 

  135. 		return new RSAKey.Builder(publicKey)
    136. 

  136. 				.privateKey(privateKey)
    137. 

  137. 				.keyID(UUID.randomUUID().toString())
    138. 

  138. 				.build();
    139. 

  139. 	}
    140. 

  140. 	return null;
    141. 

  141. };
    142. 

  142. 

  143. OAuth2AuthorizationCodeGrantRequestEntityConverter requestEntityConverter =
    144. 

  144. 		new OAuth2AuthorizationCodeGrantRequestEntityConverter();
    145. 

  145. requestEntityConverter.addParametersConverter(
    146. 

  146. 		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
    147. 

  147. 

  148. DefaultAuthorizationCodeTokenResponseClient tokenResponseClient =
    149. 

  149. 		new DefaultAuthorizationCodeTokenResponseClient();
    150. 

  150. tokenResponseClient.setRequestEntityConverter(requestEntityConverter);
    151. 

  151. ----
    152. 

  152. 

  153. Kotlin::
    154. 

  154. +
    155. 

  155. [source,kotlin,role="secondary"]
    156. 

  156. ----
    157. 

  157. val jwkResolver: Function<ClientRegistration, JWK> =
    158. 

  158.     Function<ClientRegistration, JWK> { clientRegistration ->
    159. 

  159.         if (clientRegistration.clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
    160. 

  160.             // Assuming RSA key type
    161. 

  161.             var publicKey: RSAPublicKey
    162. 

  162.             var privateKey: RSAPrivateKey
    163. 

  163.             RSAKey.Builder(publicKey) = //...
    164. 

  164.                 .privateKey(privateKey) = //...
    165. 

  165.                 .keyID(UUID.randomUUID().toString())
    166. 

  166.                 .build()
    167. 

  167.         }
    168. 

  168.         null
    169. 

  169.     }
    170. 

  170. 

  171. val requestEntityConverter = OAuth2AuthorizationCodeGrantRequestEntityConverter()
    172. 

  172. requestEntityConverter.addParametersConverter(
    173. 

  173.     NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
    174. 

  174. )
    175. 

  175. 

  176. val tokenResponseClient = DefaultAuthorizationCodeTokenResponseClient()
    177. 

  177. tokenResponseClient.setRequestEntityConverter(requestEntityConverter)
    178. 

  178. ----
    179. 

  179. ======
    180. 

  180. 

  181. [[oauth2-client-authentication-jwt-bearer-client-secret-jwt]]
    182. 

  182. === Authenticate using `client_secret_jwt`
    183. 

  183. 

  184. Given the following Spring Boot properties for an OAuth 2.0 Client registration:
    185. 

  185. 

  186. [source,yaml]
    187. 

  187. ----
    188. 

  188. spring:
    189. 

  189.   security:
    190. 

  190.     oauth2:
    191. 

  191.       client:
    192. 

  192.         registration:
    193. 

  193.           okta:
    194. 

  194.             client-id: okta-client-id
    195. 

  195.             client-secret: okta-client-secret
    196. 

  196.             client-authentication-method: client_secret_jwt
    197. 

  197.             authorization-grant-type: client_credentials
    198. 

  198.             ...
    199. 

  199. ----
    200. 

  200. 

  201. The following example shows how to configure `DefaultClientCredentialsTokenResponseClient`:
    202. 

  202. 

  203. [tabs]
    204. 

  204. ======
    205. 

  205. Java::
    206. 

  206. +
    207. 

  207. [source,java,role="primary"]
    208. 

  208. ----
    209. 

  209. Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
    210. 

  210. 	if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
    211. 

  211. 		SecretKeySpec secretKey = new SecretKeySpec(
    212. 

  212. 				clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8),
    213. 

  213. 				"HmacSHA256");
    214. 

  214. 		return new OctetSequenceKey.Builder(secretKey)
    215. 

  215. 				.keyID(UUID.randomUUID().toString())
    216. 

  216. 				.build();
    217. 

  217. 	}
    218. 

  218. 	return null;
    219. 

  219. };
    220. 

  220. 

  221. OAuth2ClientCredentialsGrantRequestEntityConverter requestEntityConverter =
    222. 

  222. 		new OAuth2ClientCredentialsGrantRequestEntityConverter();
    223. 

  223. requestEntityConverter.addParametersConverter(
    224. 

  224. 		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
    225. 

  225. 

  226. DefaultClientCredentialsTokenResponseClient tokenResponseClient =
    227. 

  227. 		new DefaultClientCredentialsTokenResponseClient();
    228. 

  228. tokenResponseClient.setRequestEntityConverter(requestEntityConverter);
    229. 

  229. ----
    230. 

  230. 

  231. Kotlin::
    232. 

  232. +
    233. 

  233. [source,kotlin,role="secondary"]
    234. 

  234. ----
    235. 

  235. val jwkResolver = Function<ClientRegistration, JWK?> { clientRegistration: ClientRegistration ->
    236. 

  236.     if (clientRegistration.clientAuthenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_JWT) {
    237. 

  237.         val secretKey = SecretKeySpec(
    238. 

  238.             clientRegistration.clientSecret.toByteArray(StandardCharsets.UTF_8),
    239. 

  239.             "HmacSHA256"
    240. 

  240.         )
    241. 

  241.         OctetSequenceKey.Builder(secretKey)
    242. 

  242.             .keyID(UUID.randomUUID().toString())
    243. 

  243.             .build()
    244. 

  244.     }
    245. 

  245.     null
    246. 

  246. }
    247. 

  247. 

  248. val requestEntityConverter = OAuth2ClientCredentialsGrantRequestEntityConverter()
    249. 

  249. requestEntityConverter.addParametersConverter(
    250. 

  250.     NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
    251. 

  251. )
    252. 

  252. 

  253. val tokenResponseClient = DefaultClientCredentialsTokenResponseClient()
    254. 

  254. tokenResponseClient.setRequestEntityConverter(requestEntityConverter)
    255. 

  255. ----
    256. 

  256. ======
    257. 

  257. 

  258. [[oauth2-client-authentication-jwt-bearer-assertion]]
    259. 

  259. === Customizing the JWT assertion
    260. 

  260. 

  261. The JWT produced by `NimbusJwtClientAuthenticationParametersConverter` contains the `iss`, `sub`, `aud`, `jti`, `iat` and `exp` claims by default. You can customize the headers and/or claims by providing a `Consumer<NimbusJwtClientAuthenticationParametersConverter.JwtClientAuthenticationContext<T>>` to `setJwtClientAssertionCustomizer()`. The following example shows how to customize claims of the JWT:
    262. 

  262. 

  263. [tabs]
    264. 

  264. ======
    265. 

  265. Java::
    266. 

  266. +
    267. 

  267. [source,java,role="primary"]
    268. 

  268. ----
    269. 

  269. Function<ClientRegistration, JWK> jwkResolver = ...
    270. 

  270. 

  271. NimbusJwtClientAuthenticationParametersConverter<OAuth2ClientCredentialsGrantRequest> converter =
    272. 

  272. 		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver);
    273. 

  273. converter.setJwtClientAssertionCustomizer((context) -> {
    274. 

  274. 	context.getHeaders().header("custom-header", "header-value");
    275. 

  275. 	context.getClaims().claim("custom-claim", "claim-value");
    276. 

  276. });
    277. 

  277. ----
    278. 

  278. 

  279. Kotlin::
    280. 

  280. +
    281. 

  281. [source,kotlin,role="secondary"]
    282. 

  282. ----
    283. 

  283. val jwkResolver = ...
    284. 

  284. 

  285. val converter: NimbusJwtClientAuthenticationParametersConverter<OAuth2ClientCredentialsGrantRequest> =
    286. 

  286.     NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
    287. 

  287. converter.setJwtClientAssertionCustomizer { context ->
    288. 

  288.     context.headers.header("custom-header", "header-value")
    289. 

  289.     context.claims.claim("custom-claim", "claim-value")
    290. 

  290. }
    291. 

  291. ----
    292. 

  292. ======
    293. 

  293. 

  294. [[oauth2-client-authentication-public]]
    295. 

  295. == [[oauth2Client-public-auth]]Public Authentication
    296. 

  296. 

  297. Public Client Authentication is supported out of the box and no customization is necessary to enable it.
    298. 

  298. 

  299. The following Spring Boot properties for an OAuth 2.0 client registration demonstrate the configuration:
    300. 

  300. 

  301. [source,yaml]
    302. 

  302. ----
    303. 

  303. spring:
    304. 

  304.   security:
    305. 

  305.     oauth2:
    306. 

  306.       client:
    307. 

  307.         registration:
    308. 

  308.           okta:
    309. 

  309.             client-id: client-id
    310. 

  310.             client-authentication-method: none
    311. 

  311.             authorization-grant-type: authorization_code
    312. 

  312.             ...
    313. 

  313. ----
    314. 

  314. 

  315. [NOTE]
    316. 

  316. ====
    317. 

  317. Public Clients are supported using https://tools.ietf.org/html/rfc7636[Proof Key for Code Exchange] (PKCE).
    318. 

  318. PKCE will automatically be used when `client-authentication-method` is set to "none" (`ClientAuthenticationMethod.NONE`).
    319. 

  319. ====
    320.