【问题标题】:Does Spring OAuth2 SSO support Azure Active Directory signing key rollover for token verification?Spring OAuth2 SSO 是否支持 Azure Active Directory 签名密钥翻转以进行令牌验证?
【发布时间】:2017-12-26 10:44:57
【问题描述】:

我正在使用 Spring OAuth2 SSO 开发 SSO 应用程序。我使用 Azure AD 作为 OAuth2 提供程序,它具有 signing key rollover 并使用 JWKS URI(OpenID 配置)公开公钥,如下所示。有什么方法可以在 Spring OAuth2 SSO 中进行令牌验证?

{
  "keys": [
{
  "kty": "RSA",
  "use": "sig",
  "kid": "9FXDpbfMFT2SvQuXh846YTwEIBw",
  "x5t": "9FXDpbfMFT2SvQuXh846YTwEIBw",
  "n": "kvt1VmR4nwkNM8jMU0wmj2gSS8NznbOt2pZI6Z7HQT_esF7W19GZR7Y72Xo1i5zXRDM9o3GeTIjBrnr3yy41Q_EaUQ7C-b-Hmg94Vy7EBZyBhi_mznz0dYWs2MIXwR86Nni9TmgTXvjgTPF2YGJoZt4TwcMFefW8rijCVyNrCBA0XspDouNJavvG0BEMXYigoThFjLRXS5U3h4BDfNZFZZS3dyliNOXfgRn2k7oITz8h_ueiPvmDRFh38AeQgx1cELhKWc3P5ugtttraSwgH7nP2NUguO9nCrHuL6TZ-KWpmRWZqwH-jYKFQVt3CDpzwNM6XJL-oHbl1x-gI3YYX5w",
  "e": "AQAB",
  "x5c": [
    "MIIDBTCCAe2gAwIBAgIQZSAeaqWig4BHC1ksmNNcgjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDUwNjAwMDAwMFoXDTE5MDUwNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJL7dVZkeJ8JDTPIzFNMJo9oEkvDc52zrdqWSOmex0E/3rBe1tfRmUe2O9l6NYuc10QzPaNxnkyIwa5698suNUPxGlEOwvm/h5oPeFcuxAWcgYYv5s589HWFrNjCF8EfOjZ4vU5oE1744EzxdmBiaGbeE8HDBXn1vK4owlcjawgQNF7KQ6LjSWr7xtARDF2IoKE4RYy0V0uVN4eAQ3zWRWWUt3cpYjTl34EZ9pO6CE8/If7noj75g0RYd/AHkIMdXBC4SlnNz+boLbba2ksIB+5z9jVILjvZwqx7i+k2filqZkVmasB/o2ChUFbdwg6c8DTOlyS/qB25dcfoCN2GF+cCAwEAAaMhMB8wHQYDVR0OBBYEFGKpXQNrF5IoxS6bL4F92+gxOJlIMA0GCSqGSIb3DQEBCwUAA4IBAQA3HgW5SoHlvvQVxqqi+mtscDZLhNfe13iG/nx8Er5il82b79RVydNs+f9sYxc4T4ctnrZu7x5e7jInJedNdAlrPorBdw+SfvKJsmiNndXugMew1FlcQTQVIFDCbziaJav8rKyMxPfeKkc1aixbajWZkKg6OPmmJn2ceTocbn8PMQy20xNvcWUwgF5FZZIuPqu6feOLJcUIYw+0JFZ265xka30QXpmytcIxajIzpD4PRdCIBuVSqgXacAs4t4+w+OhnosD72yvXck8M4GwX1j+vcuyw0yhDGNMmqsHWP7H3jnJiGDrKhhdVyplzDhTfv2Whbv/dIDn+meLE3yyC5yGL"
  ]
},
{
  "kty": "RSA",
  "use": "sig",
  "kid": "VWVIc1WD1Tksbb301sasM5kOq5Q",
  "x5t": "VWVIc1WD1Tksbb301sasM5kOq5Q",
  "n": "wxZQBChCrsCnhy-U6jWszJNnpSwYM3nmF7iwBkp0Qa57Wz7XQLnhUucZe_YkEJg6hJg16XAbZ_3oZnwLqQVlArfu5ldP9IdgOgPJYFGZXamE0v3BFtf1K2leiHqfmt06zJ2NhHCQ5p2yRzrrMV23kjK5bz8a_gQsdkIkBW7qE9TbJFU5D3zPk-sbJi7SIOLx5XRI6eFwu4z1IGooBbNiRopDEdcQizJqH_7PQJuBBk-a-ntI05mZaEZ2nbo8DDu046TEkqA2IRJ1FIvvdxrAi5NQ6E6YcYulNWxUaxBD2e42f9jmhBTBYknN23p3QEmRWvhgFRyDoK-M5XFw1H0mbw",
  "e": "AQAB",
  "x5c": [
    "MIIDBTCCAe2gAwIBAgIQd8BVt03W25FAp3gfq8UytzANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDYxNjAwMDAwMFoXDTE5MDYxNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMWUAQoQq7Ap4cvlOo1rMyTZ6UsGDN55he4sAZKdEGue1s+10C54VLnGXv2JBCYOoSYNelwG2f96GZ8C6kFZQK37uZXT/SHYDoDyWBRmV2phNL9wRbX9StpXoh6n5rdOsydjYRwkOadskc66zFdt5IyuW8/Gv4ELHZCJAVu6hPU2yRVOQ98z5PrGyYu0iDi8eV0SOnhcLuM9SBqKAWzYkaKQxHXEIsyah/+z0CbgQZPmvp7SNOZmWhGdp26PAw7tOOkxJKgNiESdRSL73cawIuTUOhOmHGLpTVsVGsQQ9nuNn/Y5oQUwWJJzdt6d0BJkVr4YBUcg6CvjOVxcNR9Jm8CAwEAAaMhMB8wHQYDVR0OBBYEFKpiEhEA5eJvMS/oZ19jXTqKOHDLMA0GCSqGSIb3DQEBCwUAA4IBAQA7gStJbp9Drkh+K+jG0cMbxKKqOIWRofqZjvsD4B+cuwqZO5O2mEPQmuW021BpkOQ/aQvmd+J97G2LkIU0EvR4F9pu9fep5ZveXDiOXb7hOKzHprRfi0GO64JvP3Rt7pjSUVix21/rn4p4ESGcx7TdFhRIwix6gXWMxlRQyBaZ3wJyr0YnQl1h4vvgi8o5aB/3tNSbuZDFh4GNjqLgyvHgfiJczqR/odJF6aY+hM9QGu6grVUiWWcujE58Z0DdH1VaCVL/UsHj3n2zrgm4ePT+6cl0QRsEGxvMn3/UZ1CP3FllKGNf1PRyM+XC1N62Bt332Xi1swjLfZLbMxDcdBEf"
  ]
},
{
  "kty": "RSA",
  "use": "sig",
  "kid": "2S4SCVGs8Sg9LS6AqLIq6DpW-g8",
  "x5t": "2S4SCVGs8Sg9LS6AqLIq6DpW-g8",
  "n": "oZ-QQrNuB4ei9ATYrT61ebPtvwwYWnsrTpp4ISSp6niZYb92XM0oUTNgqd_C1vGN8J-y9wCbaJWkpBf46CjdZehrqczPhzhHau8WcRXocSB1u_tuZhv1ooAZ4bAcy79UkeLiG60HkuTNJJC8CfaTp1R97szBhuk0Vz5yt4r5SpfewIlBCnZUYwkDS172H9WapQu-3P2Qjh0l-JLyCkdrhvizZUk0atq5_AIDKRU-A0pRGc-EZhUL0LqUMz6c6M2s_4GnQaScv44A5iZUDD15B6e8Apb2yARohkWmOnmRcTVfes8EkfxjzZEzm3cNkvP0ogILyISHKlkzy2OmlU6iXw",
  "e": "AQAB",
  "x5c": [
    "MIIDKDCCAhCgAwIBAgIQBHJvVNxP1oZO4HYKh+rypDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwHhcNMTYxMTE2MDgwMDAwWhcNMTgxMTE2MDgwMDAwWjAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChn5BCs24Hh6L0BNitPrV5s+2/DBhaeytOmnghJKnqeJlhv3ZczShRM2Cp38LW8Y3wn7L3AJtolaSkF/joKN1l6GupzM+HOEdq7xZxFehxIHW7+25mG/WigBnhsBzLv1SR4uIbrQeS5M0kkLwJ9pOnVH3uzMGG6TRXPnK3ivlKl97AiUEKdlRjCQNLXvYf1ZqlC77c/ZCOHSX4kvIKR2uG+LNlSTRq2rn8AgMpFT4DSlEZz4RmFQvQupQzPpzozaz/gadBpJy/jgDmJlQMPXkHp7wClvbIBGiGRaY6eZFxNV96zwSR/GPNkTObdw2S8/SiAgvIhIcqWTPLY6aVTqJfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEDUj0BrjP0RTbmoRPTRMY3WhJTAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXOCEARyb1TcT9aGTuB2Cofq8qQwDQYJKoZIhvcNAQELBQADggEBAGnLhDHVz2gLDiu9L34V3ro/6xZDiSWhGyHcGqky7UlzQH3pT5so8iF5P0WzYqVtogPsyC2LPJYSTt2vmQugD4xlu/wbvMFLcV0hmNoTKCF1QTVtEQiAiy0Aq+eoF7Al5fV1S3Sune0uQHimuUFHCmUuF190MLcHcdWnPAmzIc8fv7quRUUsExXmxSX2ktUYQXzqFyIOSnDCuWFm6tpfK5JXS8fW5bpqTlrysXXz/OW/8NFGq/alfjrya4ojrOYLpunGriEtNPwK7hxj1AlCYEWaRHRXaUIW1ByoSff/6Y6+ZhXPUe0cDlNRt/qIz5aflwO7+W8baTS4O8m/icu7ItE="
  ]
}
]
}

【问题讨论】:

    标签: spring-security single-sign-on azure-active-directory


    【解决方案1】:

    根据描述,您正在使用带有 Spring Security OAuth 的 Azure AD 实现 OAuth 2.0 提供程序。

    根据我的理解,OAuth 2.0 中的提供者角色实际上分为授权服务和资源服务。如果您只在应用程序中获取令牌并将令牌发送到受 Azure AD 保护的资源,则无需验证令牌。例如,您的 Web 应用实施 OAuth 2.0 Provider 以使用户能够从 Azure AD 获取 Microsoft Graph 的访问令牌,然后您的 Web 应用可以使用此访问令牌调用 Microsoft Graph。 Microsoft Graph 将验证访问令牌。

    如果您还实现了资源服务并通过 Spring Security OAuth 使用 Azure AD 保护它,则需要实现 ResourceServerTokenServices 来验证令牌并处理密钥翻转。

    您可以参考this link 手动验证访问令牌。以及更多关于Spring Oauth2开发的细节,可以参考以下链接:

    OAuth 2 Developers Guide

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2021-06-02
      • 1970-01-01
      • 2020-11-14
      • 2016-07-13
      • 2020-02-14
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多