我們目前使用Spring OAuth授權服務器,但目前不使用OAuth規範中的「scope」參數。由於Spring OAuth授權服務器要求在請求授權代碼時明確要求範圍,因此這有點痛苦。Spring OAuth授權服務器需要範圍
從DefaultOAuth2RequestValidator:
if (requestScopes.isEmpty()) {
throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)");
}
然而,這直接違背了的OAuth 2.0規範:
4.1.1. Authorization Request The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per Appendix B: response_type REQUIRED. Value MUST be set to "code". client_id REQUIRED. The client identifier as described in Section 2.2. redirect_uri OPTIONAL. As described in Section 3.1.2. scope OPTIONAL. The scope of the access request as described by Section 3.3. state RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.
是否有一個明確的原因,春節授權服務器做到這一點?我知道我可以用我自己的替代驗證器,但我很好奇,爲什麼這是默認情況下,如果我遺漏任何理解,而不是因爲遺留原因這樣做。
謝謝。
編輯
對於那些尋找下面的規範的替代實現,這裏是我的。它只是檢查,如果客戶端被限制在某些範圍內,則只需要請求的範圍,並且所請求的範圍必須位於分配的客戶端範圍列表中。如果客戶端沒有指定範圍,則此實現假定允許使用任何範圍(與資源相同的假設)。還不確定這個或者它是否真的正確。如果不是,請告訴我。
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.TokenRequest;
public class OAuth2RequestValidator
implements org.springframework.security.oauth2.provider.OAuth2RequestValidator {
@Override
public void validateScope(final AuthorizationRequest authorizationRequest,
final ClientDetails client)
throws InvalidScopeException {
this.validateScope(authorizationRequest.getScope(), client.getScope());
}
@Override
public void validateScope(final TokenRequest tokenRequest, final ClientDetails client)
throws InvalidScopeException {
this.validateScope(tokenRequest.getScope(), client.getScope());
}
private void validateScope(
final Set<String> requestScopes,
final Set<String> clientScopes) {
if (!CollectionUtils.isEmpty(clientScopes)) {
if (CollectionUtils.isEmpty(requestScopes)) {
throw new InvalidScopeException(
"Empty scope (either the client or the user is "
+ "not allowed the requested scopes)");
}
for (final String scope : requestScopes) {
if (!clientScopes.contains(scope)) {
throw new InvalidScopeException("Invalid scope: " + scope, clientScopes);
}
}
}
}
}
這看起來已經被報告爲一個錯誤,但沒有任何迴應。 https://github.com/spring-projects/spring-security-oauth/issues/775 – loesak