问题描述
我目前正在考虑使用Spring Cloud Gateway实施API网关。将会有一些API的React客户端以及一些设备。设备将使用OAuth device_code授予访问权限。 API网关会将JWT传递到后端资源API服务器,该服务器将验证请求。我遵循了以下示例,这似乎使我参与其中。
https://spring.io/blog/2019/08/16/securing-services-with-spring-cloud-gateway 在该示例中,我还可以将IdP换成WSO2。
我使用curl从IdP获得了承载令牌,以便使用不透明令牌进行测试。
curl -u OzVconnyapPW2yWzxrSebCKmY9Qa:5cBcZmnnaW5gGOW3qt9sumw4Ubka -k -d "grant_type=password&username=admin&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
返回了访问令牌。
curl -k http://springboot.example.com:8080/ -H "Authorization: Bearer 123b546d-f35b-38b8-a2c8-4e0d4487329d"
但这试图将我重定向到登录名。
如何获得Spring Cloud API Gateway来处理添加了Authorization: Bearer xxxx
标头的请求?
我是否使用正确的“不透明令牌”(即授权令牌是执行此操作的正确方法)?
如果设置了Authorization标头,是否可以绕过oauth2客户端,而可以触发资源服务器呢?
API网关应用程序:
package com.scg.gateway;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.gateway.route.RouteLocator;
import org.springframework.cloud.gateway.route.builder.RouteLocatorBuilder;
import org.springframework.cloud.security.oauth2.gateway.TokenRelayGatewayFilterFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
@SpringBootApplication
public class GatewayApplication {
@Autowired
private TokenRelayGatewayFilterFactory filterFactory;
@Bean
public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
return builder.routes()
.route("resource",r -> r.path("/resource")
.filters(f -> f.filters(filterFactory.apply())
.removeRequestHeader("Cookie")) // Prevents cookie being sent downstream
.uri("http://springboot.example.com:9000")) // Taking advantage of docker naming
.build();
}
@GetMapping("/")
public String index(Model model,@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,@AuthenticationPrincipal OAuth2User oauth2User) {
model.addAttribute("userName",oauth2User.getName());
model.addAttribute("clientName",authorizedClient.getClientRegistration().getClientName());
model.addAttribute("userAttributes",oauth2User.getAttributes());
return "index";
}
public static void main(String[] args) {
SpringApplication.run(GatewayApplication.class,args);
}
}
API网关Yaml
server:
port: 8080
logging:
level:
root: INFO
org.springframework.web: INFO
org.springframework.web.HttpLogging: DEBUG
org.springframework.security: DEBUG
org.springframework.security.oauth2: DEBUG
org.springframework.cloud.gateway: DEBUG
spring:
autoconfigure:
# TODO: remove when fixed https://github.com/spring-projects/spring-security/issues/6314
exclude: org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration
thymeleaf:
cache: false
security:
oauth2:
client:
registration:
gateway:
provider: wso2
client-id: OzVconnyapPW2yWzxrSebCKmY9Qa
client-secret: 5cBcZmnnaW5gGOW3qt9sumw4Ubka
authorization-grant-type: authorization_code
redirect-uri-template: "{baseUrl}/login/oauth2/code/wso2"
scope: openid,profile,email,resource.read
provider:
wso2:
authorization-uri: http://idp.example.com:9763/oauth2/authorize
token-uri: http://idp.example.com:9763/oauth2/token
user-info-uri: http://idp.example.com:9763/oauth2/userinfo
user-name-attribute: sub
jwk-set-uri: http://idp.example.com:9763/oauth2/jwks
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)