在Oauth2中使用resourceId的意义是什么？它在代币生成过程中发挥任何作用吗？

我正在oauth2中使用密码授予流程。最初，我使用resourceId“ api”注册了客户端并生成了令牌。现在，使用该令牌，我可以访问任何资源。再次，我注册了一个没有resourceId的新客户端，并生成了令牌。使用此令牌，我再次被允许访问任何资源。那么这是否意味着一个令牌可以访问任何资源？或为特定资源生成的令牌只能访问该特定资源。如果是这样，我在做什么错了？

//This is authorization server
@EnableAuthorizationServer
@Configuration
public class OauthConfiguration extends AuthorizationServerConfigurerAdapter {
private final UserDetailsService userService;
private final AuthenticationManager authenticationManager;
@Value("${oauth2.clientId:mobile-app}")
private String clientId;
@Value("${oauth2.clientSecret:mobile123}")
private String clientSecret;
@Value("${oauth2.accesstokenValiditySeconds:43200}") //12 hrs
private int accesstokenValiditySeconds;
@Value("${oauth2.refreshTokenValiditySeconds:2592000}") //30days
private int refreshTokenValiditySeconds;
@Value("${oauth2.authorizedGrantTypes:password,authorization_code,refresh_token}")
private String[] authorizedGrantTypes;

@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public OauthConfiguration(UserDetailsService userService,AuthenticationManager authenticationManager) {
    this.userService = userService;
    this.authenticationManager = authenticationManager;
}

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    security.checkTokenAccess("isAuthenticated()");
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
            .withClient(clientId)
            .secret(bCryptPasswordEncoder.encode(clientSecret))
            .accesstokenValiditySeconds(accesstokenValiditySeconds)
            .refreshTokenValiditySeconds(refreshTokenValiditySeconds)
            .authorizedGrantTypes(authorizedGrantTypes)
            .scopes("read","write")
            .resourceIds("api");
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.accesstokenConverter(accesstokenConverter())
            .userDetailsService(userService)
            .authenticationManager(authenticationManager);
}
@Bean
public JwtAccesstokenConverter accesstokenConverter() {
    JwtAccesstokenConverter tokenConverter = new JwtAccesstokenConverter();
    return tokenConverter;
}

}

**And this is resource server**

@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("api");
}

@Override
public void configure(HttpSecurity http) throws Exception {
   http
           .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
           .and()
           .antMatcher("/api/**")
           .authorizeRequests()
           .antMatchers("/api/**").authenticated()
           .antMatchers("/api/signin/**").permitAll()
           .anyRequest().authenticated();
}
}

解决方法

暂无找到可以解决该程序问题的有效方法，小编努力寻找整理中！

如果你已经找到好的解决方法，欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@）