OAuth 2.0 Resource Server Bearer Tokens

Bearer Token Resolution

默认情况下,资源服务器在 Authorization 标头中查找持有者令牌。但是,您可以验证此令牌。

By default, Resource Server looks for a bearer token in the Authorization header. However, you can verify this token.

例如,您可能需要从自定义标头中读取持有者令牌。为此,您可以将 ServerBearerTokenAuthenticationConverter 的一个实例传递到 DSL 中:

For example, you may have a need to read the bearer token from a custom header. To do so, you can wire an instance of ServerBearerTokenAuthenticationConverter into the DSL:

Custom Bearer Token Header

  • Java

  • Kotlin

ServerBearerTokenAuthenticationConverter converter = new ServerBearerTokenAuthenticationConverter();
converter.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION);
http
    .oauth2ResourceServer(oauth2 -> oauth2
        .bearerTokenConverter(converter)
    );
val converter = ServerBearerTokenAuthenticationConverter()
converter.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION)
return http {
    oauth2ResourceServer {
        bearerTokenConverter = converter
    }
}

Bearer Token Propagation

既然你已经有了持有者令牌,就可以将其传递给下游服务。这可以通过 {security-api-url}org/springframework/security/oauth2/server/resource/web/reactive/function/client/ServerBearerExchangeFilterFunction.html[ServerBearerExchangeFilterFunction] 实现:

Now that you have a bearer token, you can pass that to downstream services. This is possible with {security-api-url}org/springframework/security/oauth2/server/resource/web/reactive/function/client/ServerBearerExchangeFilterFunction.html[ServerBearerExchangeFilterFunction]:

  • Java

  • Kotlin

@Bean
public WebClient rest() {
    return WebClient.builder()
            .filter(new ServerBearerExchangeFilterFunction())
            .build();
}
@Bean
fun rest(): WebClient {
    return WebClient.builder()
            .filter(ServerBearerExchangeFilterFunction())
            .build()
}

当先前示例中所示的 WebClient 执行请求时,Spring Security 会查找当前的 Authentication 并提取任何 {security-api-url}org/springframework/security/oauth2/core/AbstractOAuth2Token.html[AbstractOAuth2Token] 凭据。然后,它会将该令牌传播到 Authorization 标头(例如:

When the WebClient shown in the preceding example performs requests, Spring Security looks up the current Authentication and extract any {security-api-url}org/springframework/security/oauth2/core/AbstractOAuth2Token.html[AbstractOAuth2Token] credential. Then, it propagates that token in the Authorization header — for example:

  • Java

  • Kotlin

this.rest.get()
        .uri("https://other-service.example.com/endpoint")
        .retrieve()
        .bodyToMono(String.class)
this.rest.get()
        .uri("https://other-service.example.com/endpoint")
        .retrieve()
        .bodyToMono<String>()

先前的示例调用 https://other-service.example.com/endpoint,为您添加持有者令牌 Authorization 标头。

The prececing example invokes the https://other-service.example.com/endpoint, adding the bearer token Authorization header for you.

在需要覆盖此行为的地方,您可以自行提供标头:

In places where you need to override this behavior, you can supply the header yourself:

  • Java

  • Kotlin

this.rest.get()
        .uri("https://other-service.example.com/endpoint")
        .headers(headers -> headers.setBearerAuth(overridingToken))
        .retrieve()
        .bodyToMono(String.class)
rest.get()
        .uri("https://other-service.example.com/endpoint")
        .headers { it.setBearerAuth(overridingToken) }
        .retrieve()
        .bodyToMono<String>()

在这种情况下,过滤器将会回退并将请求转发到其余的 Web 过滤器链。

In this case, the filter falls back and forwards the request onto the rest of the web filter chain.

OAuth 2.0 Client filter function 不同,此过滤器函数不会尝试在令牌过期时续订它。

Unlike the OAuth 2.0 Client filter function, this filter function makes no attempt to renew the token, should it be expired.