1. 首頁
  2. 問答
  3. Spring OAuth授權服務器需要範圍

Spring OAuth授權服務器需要範圍

2016-09-28 92 views
1

我們目前使用Spring OAuth授權服務器,但目前不使用OAuth規範中的「scope」參數。由於Spring OAuth授權服務器要求在請求授權代碼時明確要求範圍,因此這有點痛苦。Spring OAuth授權服務器需要範圍

DefaultOAuth2RequestValidator

if (requestScopes.isEmpty()) { 
    throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)"); 
}

然而,這直接違背了的OAuth 2.0規範:

 
4.1.1. Authorization Request 

    The client constructs the request URI by adding the following 
parameters to the query component of the authorization endpoint URI 
using the "application/x-www-form-urlencoded" format, per Appendix B: 

    response_type 
      REQUIRED. Value MUST be set to "code". 

    client_id 
      REQUIRED. The client identifier as described in Section 2.2. 

    redirect_uri 
      OPTIONAL. As described in Section 3.1.2. 

    scope 
      OPTIONAL. The scope of the access request as described by 
      Section 3.3. 

    state 
      RECOMMENDED. An opaque value used by the client to maintain 
      state between the request and callback. The authorization 
      server includes this value when redirecting the user-agent back 
      to the client. The parameter SHOULD be used for preventing 
      cross-site request forgery as described in Section 10.12.

是否有一個明確的原因,春節授權服務器做到這一點?我知道我可以用我自己的替代驗證器,但我很好奇,爲什麼這是默認情況下,如果我遺漏任何理解,而不是因爲遺留原因這樣做。

謝謝。

編輯

對於那些尋找下面的規範的替代實現,這裏是我的。它只是檢查,如果客戶端被限制在某些範圍內,則只需要請求的範圍,並且所請求的範圍必須位於分配的客戶端範圍列表中。如果客戶端沒有指定範圍,則此實現假定允許使用任何範圍(與資源相同的假設)。還不確定這個或者它是否真的正確。如果不是,請告訴我。

import java.util.Set; 

import org.apache.commons.collections.CollectionUtils; 
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException; 
import org.springframework.security.oauth2.provider.AuthorizationRequest; 
import org.springframework.security.oauth2.provider.ClientDetails; 
import org.springframework.security.oauth2.provider.TokenRequest; 

public class OAuth2RequestValidator 
    implements org.springframework.security.oauth2.provider.OAuth2RequestValidator { 

    @Override 
    public void validateScope(final AuthorizationRequest authorizationRequest, 
     final ClientDetails client) 
     throws InvalidScopeException { 
    this.validateScope(authorizationRequest.getScope(), client.getScope()); 
    } 

    @Override 
    public void validateScope(final TokenRequest tokenRequest, final ClientDetails client) 
     throws InvalidScopeException { 
    this.validateScope(tokenRequest.getScope(), client.getScope()); 
    } 

    private void validateScope(
     final Set<String> requestScopes, 
     final Set<String> clientScopes) { 
    if (!CollectionUtils.isEmpty(clientScopes)) { 
     if (CollectionUtils.isEmpty(requestScopes)) { 
     throw new InvalidScopeException(
      "Empty scope (either the client or the user is " 
       + "not allowed the requested scopes)"); 
     } 

     for (final String scope : requestScopes) { 
     if (!clientScopes.contains(scope)) { 
      throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); 
     } 
     } 
    } 
    } 

}

來源

2016-09-28 loesak

+0

這看起來已經被報告爲一個錯誤,但沒有任何迴應。 https://github.com/spring-projects/spring-security-oauth/issues/775 – loesak

回答

0

根據DefaultOAuth2RequestFactory,如果沒有範圍由客戶端提供,則將使用爲客戶端註冊的範圍。

DefaultOAuth2RequestFactory.java

private Set<String> extractScopes(Map<String, String> requestParameters, String clientId) { 
    Set<String> scopes = OAuth2Utils.parseParameterList(requestParameters.get(OAuth2Utils.SCOPE)); 
    ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId); 

    if ((scopes == null || scopes.isEmpty())) { 
     // If no scopes are specified in the incoming data, use the default values registered with the client 
     // (the spec allows us to choose between this option and rejecting the request completely, so we'll take the 
     // least obnoxious choice as a default). 
     scopes = clientDetails.getScope(); 
    } 

    if (checkUserScopes) { 
     scopes = checkUserScopes(scopes, clientDetails); 
    } 
    return scopes; 
}

所以,你可以用默認配置客戶端「全部」或類似的東西如的範圍

public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
    clients.inMemory() 
      .withClient("client").secret("secret") 
      .authorizedGrantTypes("authorization_code", "client_credentials") 
      .scopes("all");

來源

2017-01-11 17:13:48 apoplexy

+0

不是一個壞主意,雖然我們現在還沒有使用範圍,所以將範圍分配給客戶端可能被視爲負面的事情他們可能會有權限在未來將範圍限制添加到我們的應用程序時執行操作。問題更多的是爲什麼Spring Security OAuth(在我正在使用的版本中)沒有遵循規範。 – loesak

相關問題

 相關問題