【发布时间】:2020-01-22 12:20:42
【问题描述】:
问题
我正在尝试创建一个应用程序,它在前端使用 Auth0 SPA + React 来验证用户,而无需处理密码。然后,我想保护我使用 Auth 服务器创建的所有端点,我需要使用 Spring Framework 创建。
澄清一下,流程是
Frontend ->
Auth through Auth0 ->
Redirect to users dashboard on frontend ->
Make HTTP request to endpoint sending JWT returned from Auth0 ->
Endpoint makes request to my Auth Server sending JWT returned from Auth0 ->
Auth server either either returns 401 or user object based on JWT ->
Endpoint grabs data specific to that user from DB ->
Returns data to frontend
使用 Auth0 提供的快速入门指南,我已经设法让我的前端正常工作,但我在弄清楚如何获得时遇到了很多麻烦我的 Auth Service 来验证用户。
我相信我已经得出结论,我需要在 Auth0 上创建一个“API”并获取一个访问令牌和使用它来验证 JWT,在这种情况下它只是 访问令牌 而不是我的前端包含的 JWT。我也让这部分工作,但似乎没有办法知道用户是谁。测试此“API”时,发送有效请求后,我被退回
{
"iss": "https://${username}.auth0.com/",
"sub": "${alphanumericCharacters}@clients",
"aud": "${ApiIdentifier}",
"iat": ${issuedAt},
"exp": ${expiresAt},
"azp": "${alphanumericCharacters}",
"gty": "client-credentials"
}
虽然很高兴知道我在正确的轨道上,但我似乎无法弄清楚如何处理此响应以找到用户。
预期
我希望在验证 Auth Service
中的 access_token 后能够识别特定用户代码
我没有太多要展示的代码,但我会提供我的 Auth Service
中所能提供的SecurityConfiguration.java
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("${auth0.audience}")
private String audience;
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests()
.mvcMatchers("/api/validate")
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
}
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoderJwkSupport jwtDecoder = (NimbusJwtDecoderJwkSupport)
JwtDecoders.fromOidcIssuerLocation(issuer);
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
jwtDecoder.setJwtValidator(withAudience);
return jwtDecoder;
}
}
AudienceValidator.java
public class AudienceValidator implements OAuth2TokenValidator<Jwt> {
private final String audience;
public AudienceValidator(String audience) {
this.audience = audience;
}
public OAuth2TokenValidatorResult validate(Jwt jwt) {
OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
if (jwt.getAudience().contains(audience)) {
return OAuth2TokenValidatorResult.success();
}
return OAuth2TokenValidatorResult.failure(error);
}
}
ValidateController.java
@RestController
@RequestMapping("/api/validate")
public class ValidateController {
@GetMapping
public boolean validate() {
return true; // only returns if successfully authed
}
}
【问题讨论】:
标签: java spring spring-boot jwt auth0