将google login_hint参数添加到oauth2 AuthorizationCode请求中
将google login_hint参数添加到oauth2 AuthorizationCode请求中
提问于 2018-09-28 11:24:25
作为AuthorizationCode身份验证流的一部分,我一直试图向oauth2请求中添加一个请求参数,即spring。具体来说,我需要添加一个login_hint参数,以防止谷歌在电子邮件地址已知时指示用户选择他们的帐户。
这是我最初的配置:
@Configuration
@EnableOAuth2Client
@RequiredArgsConstructor
public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final String LOGIN_PATH = "/oauth/login";
private static final int OAUTH2_CLIENT_FILTER_ORDER = -100;
static {
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
}
private final OAuth2ClientContext oauth2ClientContext;
private final OAuth2ClientContextFilter oAuth2ClientContextFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
final OAuth2ClientAuthenticationProcessingFilter ssoFilter = new OAuth2ClientAuthenticationProcessingFilter(LOGIN_PATH);
ssoFilter.setRestTemplate(googleRestTemplate());
ssoFilter.setTokenServices(tokenServices());
ssoFilter.setAuthenticationManager(oAuth2AuthenticationManager());
final OAuth2AuthenticationProcessingFilter clientFilter = new OAuth2AuthenticationProcessingFilter();
clientFilter.setAuthenticationManager(oAuth2AuthenticationManager());
clientFilter.setStateless(false);
// @formatter:off
http
.csrf().disable()
.cors().disable()
.headers()
.frameOptions().sameOrigin()
.cacheControl().disable()
.and()
.antMatcher("/**")
.csrf().disable()
.httpBasic().disable()
.rememberMe().disable()
.addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
.addFilterBefore(clientFilter, OAuth2ClientAuthenticationProcessingFilter.class)
.authorizeRequests()
.antMatchers("/api/**").fullyAuthenticated()
.anyRequest().permitAll()
.and()
.logout().logoutUrl("/logout")
.and() .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint());
// @formatter:on
}我成功地做到这一点的唯一方法如下:
@Bean
public OAuth2RestTemplate googleRestTemplate() {
MyAuthorizationCodeAccessTokenProvider myAuthorizationCodeAccessTokenProvider =
new MyAuthorizationCodeAccessTokenProvider();
AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(
Arrays.<AccessTokenProvider>asList(
myAuthorizationCodeAccessTokenProvider, new ImplicitAccessTokenProvider(),
new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider()));
OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(googleClient(), oauth2ClientContext);
oAuth2RestTemplate.setAccessTokenProvider(accessTokenProvider);
return oAuth2RestTemplate;
}
static class MyAuthorizationCodeAccessTokenProvider extends AuthorizationCodeAccessTokenProvider {
private static String EMAIL_PARAM_NAME = "email";
@Override
public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest request)
throws UserRedirectRequiredException, UserApprovalRequiredException, AccessDeniedException,
OAuth2AccessDeniedException {
try {
return super.obtainAccessToken(details, request);
} catch (UserRedirectRequiredException ex) {
String email = request.containsKey(EMAIL_PARAM_NAME) ? request.get(EMAIL_PARAM_NAME).get(0) : null;
if (email != null) {
ex.getRequestParams().put("login_hint", email);
}
throw ex;
}
}
}
}这是自定义spring oauth2实现以在授权请求中设置login_hint参数的最佳方法吗?
回答 1
Stack Overflow用户
回答已采纳
发布于 2021-01-20 15:41:51
我需要解决与IdP完全相同的Okta问题。我知道这是一个旧的帖子,但是我的帖子用一种通用的方法来回答这个问题,它可以用于任何需要附加到授权URL的附加参数(不仅仅是login_hint)。我认为我的答案与Spring期望开发人员如何解决这个问题非常吻合。我用于解决方案的主要资源在这里找到(https://github.com/spring-projects/spring-security/issues/5244)。另一个很好的资源在这里(https://github.com/spring-projects/spring-security/issues/5521)。下面是它的工作原理: Spring使用一个名为OAuth2AuthorizationRequestRedirectFilter的过滤器,它负责构建OAuth2授权请求。授权请求(OAuth2AuthorizationRequest)包含授权请求URI。需要通过添加附加参数(即login_hint)来更改授权请求URI。Spring使用创建OAuth2AuthorizationRequestResolver的OAuth2AuthorizationRequestResolver实现。通过提供您自己的OAuth2AuthorizationRequestResolver,您可以向授权URL添加其他参数。因此,对于我的实现,我创建了一个名为ConfigurableOAuth2AuthorizationRequestResolver的类,它封装了Spring的DefaultOAuth2AuthorizationRequestResolver。这是我的一些代码。
// Credit to Joe Grandja for providing test cases found here:
// https://raw.githubusercontent.com/spring-projects/spring-security/779597af2a6ed777707f08ae8106818e0b8e299e/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
// Much of the below code comes from his test examples.
public class ConfigurableOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver
{
private final OAuth2AuthorizationRequestResolver oAuth2AuthorizationRequestResolver;
/**
* Wraps a OAuth2AuthorizationRequestResolver so that calls to the resolve method can be delegated.
* In our implementation, the value passed here will be a DefaultOAuth2AuthorizationRequestResolver object.
* @param oAuth2AuthorizationRequestResolver usually the default resolver from Spring.
*/
public ConfigurableOAuth2AuthorizationRequestResolver(OAuth2AuthorizationRequestResolver oAuth2AuthorizationRequestResolver)
{
this.oAuth2AuthorizationRequestResolver = oAuth2AuthorizationRequestResolver;
}
/**
* Adds our custom code to check for extra parameters in the session. We use the session because there
* are several redirects to the browser causing any request variable to be lost. Don't really like
* storing anything in the HTTP session but OK as long as it is removed immediately after use.
*
* @param request needed for resolve method delegation and to retrieve the HTTP session.
* @return the <code>OAuth2AuthorizationRequest</code>
*/
@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request)
{
OAuth2AuthorizationRequest authorizationRequest = this.oAuth2AuthorizationRequestResolver.resolve(request);
return processAdditionalParameters(request, authorizationRequest);
}
/**
* Required method for implementation but not used in the standard use case.
*
* @param request needed for resolve method delegation and to retrieve the HTTP session.
* @param clientRegistrationId (e. g. google, okta)
* @return the <code>OAuth2AuthorizationRequest</code>
*/
@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String clientRegistrationId)
{
OAuth2AuthorizationRequest authorizationRequest = this.oAuth2AuthorizationRequestResolver.resolve(request, clientRegistrationId);
return processAdditionalParameters(request, authorizationRequest);
}
/**
* This method does the important task of appending any special query string parameters to the authorization
* request. For now, we are only looking for login_hint in the session. This method can be changed to
* support more parameters. We expect the login_hint key to be found in the session.
*
* @param request needed to retrieve the HTTP session.
* @param authorizationRequest can be null as a valid scenario. Not null when registrationId matches Okta (or whatever).
* @return the <code>OAuth2AuthorizationRequest</code>
*/
private OAuth2AuthorizationRequest processAdditionalParameters(HttpServletRequest request, OAuth2AuthorizationRequest authorizationRequest)
{
if (authorizationRequest == null)
{
return null;
}
// NOTE: this can be improved to support multiple parameters by storing a list instead of a single param
Map<String, Object> additionalParameters = new HashMap<>(authorizationRequest.getAdditionalParameters());
HttpSession session = request.getSession();
additionalParameters.put(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT, session.getAttribute(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT));
session.removeAttribute(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT); // remove immediately after use
String customAuthorizationRequestUri = UriComponentsBuilder
.fromUriString(authorizationRequest.getAuthorizationRequestUri())
.queryParam(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT, additionalParameters.get(SSO_OAUTH2_AUTH_PARAM_LOGIN_HINT))
.build(true).toUriString();
return OAuth2AuthorizationRequest.from(authorizationRequest)
.additionalParameters(additionalParameters)
.authorizationRequestUri(customAuthorizationRequestUri)
.build();
}
}下一段代码展示了如何集成解析器而不是Spring的默认值。
@Override
protected void configure(HttpSecurity http) throws Exception
{
logger.info("Configuring OAuth/OIDC HTTP security ...");
http
.oauth2Login()
.authorizationEndpoint()
.authorizationRequestResolver(this.authorizationRequestResolver()) // adds custom resolver
}
@Bean
public OAuth2AuthorizationRequestResolver authorizationRequestResolver()
{
OAuth2AuthorizationRequestResolver defaultAuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(
yourClientRegistrationRepository, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
return new ConfigurableOAuth2AuthorizationRequestResolver(defaultAuthorizationRequestResolver);
}这是最好的方法吗IDK。截至5.1岁,这是国际水文学组织公认的做法。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/52554307
复制相关文章
相似问题
腾讯云开发者
