Oauth2.0基于Spring Authorization Server模块private_key_jwt模式

介绍

处理oauth2.0请求授权client授权模式, 使用授权服务器对客户端进行身份验证时使用的身份验证方法

• client_secret_basic
• client_secret_post
• client_secret_jwt
• private_key_jwt
• none

序号	授权服务器对客户端进行身份验证时使用的身份验证方法	说明
3	private_key_jwt	JwtClientAssertionAuthenticationConverter

基于项目：Spring Authorization Server

1. maven项目依赖

spring-authorization-server v0.2.2

2. 生成clientId/clientSecurity授权记录

新增客户端授权记录(oauth2_registered_client), 配置jwt属性ClientSettings

void savePriKeyJwt() {
    String id = UUID.randomUUID().toString().replaceAll("-", "");
    String jwkSetUri = "http://127.0.0.1:9000/uc/resources";

    TokenSettings tokenSettings = TokenSettings.builder()
        .reuseRefreshTokens(true)
        .refreshTokenTimeToLive(Duration.ofDays(7))
        .accessTokenTimeToLive(Duration.ofHours(8))
        .idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
        .reuseRefreshTokens(false)
        .build();

    ClientSettings clientSettings = ClientSettings.builder()
        .tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256)
        .jwkSetUrl(jwkSetUri)
        .build();

    RegisteredClient client = RegisteredClient.withId(id)
        .clientId("8000000015")
        .clientIdIssuedAt(Instant.now())
        .clientSecret("")
        .clientSecretExpiresAt(Instant.now().plus(Period.ofDays(20)))
        .clientName("Client credentials private_key_jwt有限公司")
        .clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT)
        .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
        .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
        .scope("server")
        .tokenSettings(tokenSettings)
        .clientSettings(clientSettings)
        .build();
    registeredClientRepository.save(client);

    log.info("===>{}", JsonUtils.toJsonString(client));
  }

3. 生成客户端clientSecurity JWT值

// 先产生公私钥对
  void generateJwk() throws Exception {
    String keyId = "8000000015";
    KeyPair keyPair = keyPair();

    JWK jwk = new RSAKey.Builder((RSAPublicKey) keyPair.getPublic())
        .privateKey((RSAPrivateKey) keyPair.getPrivate())
        .keyUse(KeyUse.SIGNATURE)
        .keyID(keyId)
        .algorithm(JWSAlgorithm.RS256)
        .build();

    log.info("===>jwk: {}", jwk.toJSONString());
    writePemFile(jwk.toRSAKey().toPrivateKey(), "RSA PRIVATE KEY", "id_rsa");
  }

// 生成8000000015机构下jwt client 授权token
void priKeyJwt() throws Exception {
    String clientId = "8000000015";
    String jwkSetUri = "http://127.0.0.1:9000/uc/resources";

    RSAPrivateKey privateKey = PemFile.readPrivateKey(PemFile.dir + "id_rsa");
    JWSSigner signer = new RSASSASigner(privateKey);
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
        .subject(clientId)
        .issuer(clientId)
        .claim("username", "19000000000")
        .claim("password", "abc@123")
        .audience("http://auth-server:9000")
        .expirationTime(new Date(new Date().getTime() + 60 * 60 * 60 * 1000))
        .build();

    JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256)
        .keyID(clientId)
        .build();

    SignedJWT signedJWT = new SignedJWT(header, claimsSet);
    signedJWT.sign(signer);

    String token = signedJWT.serialize();
    log.info("===>token: {}", token);
  }

4. 基于client_credentials/client_secret_jwt授权模式测试数据

序号	Http请求Query params	参数值
1	scope	域
2	grant_type	授权类型：client_credentials
3	client_assertion_type	jwt type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
4	client_assertion	基于密钥生成token 值
5	client_id	8000000015

## 基于Authorization private_key_jwt(公私钥)请求
curl --location --request POST 'http://127.0.0.1:9000/uc/oauth2/token?scope=server&grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJraWQiOiI4MDAwMDAwMDE1IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI4MDAwMDAwMDE1IiwiYXVkIjoiaHR0cDpcL1wvYXV0aC1zZXJ2ZXI6OTAwMCIsInBhc3N3b3JkIjoiYWJjQDEyMyIsImlzcyI6IjgwMDAwMDAwMTUiLCJleHAiOjE2NDc3ODM5NjIsInVzZXJuYW1lIjoiMTkwMDAwMDAwMDAifQ.O8C_8BRZDceymuFZV_TPs5smTO4X8FPavYx9i-6kyVP-Q-dz-NA4t2Dp1MDe-x0HsNuSuQbdEXX_Cg_mzPfuXr6xcSMdZdiiItPTuYm4WUxzZJ-EtcpmsfvHbnlwP9WDRZg7C873Tu0nflCblpIG5W4lN1SVXnv5Vsqft0Fl9y0M_AWWeRwbQa3xDZp1hoQTz5moK3Z8tTcz8usk3vwBoGUmj1lEjBvgenXfP4bwXw1jFxhCERCFJgWwYnbpSFzzIsBqMmHo4pr9fLvoaA4HxAcvFWkozptYSv18hJa-JpJTDed3phNzAstsME9sPqGFNaPuo3yCfUWzkS7tGaSCQA&client_id=8000000015' \
--header 'Cookie: JSESSIONID=6F5102DA9F8CE3FCA95E7D899FC5BBAB'

5.项目完整地址

Oauth2.0基于Spring Authorization Server private_key_jwt模式 Github 地址

Oauth2.0基于Spring Authorization Server模块private_key_jwt模式 Gitee 地址