{"id":1424,"date":"2023-03-20T21:51:39","date_gmt":"2023-03-20T13:51:39","guid":{"rendered":"https:\/\/www.appblog.cn\/?p=1424"},"modified":"2023-04-28T21:03:54","modified_gmt":"2023-04-28T13:03:54","slug":"detailed-explanation-of-scope-configuration-for-spring-security-oauth2","status":"publish","type":"post","link":"https:\/\/www.appblog.cn\/index.php\/2023\/03\/20\/detailed-explanation-of-scope-configuration-for-spring-security-oauth2\/","title":{"rendered":"Spring Security OAuth2\u4e4bscopes\u914d\u7f6e\u8be6\u89e3"},"content":{"rendered":"<h2>\u5b98\u65b9\u6587\u6863\u8bf4\u660e<\/h2>\n<p>\u5730\u5740\uff1a<a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/projects.spring.io\/spring-security-oauth\/docs\/oauth2.html\">https:\/\/projects.spring.io\/spring-security-oauth\/docs\/oauth2.html<\/a><\/p>\n<p>scope: The scope to which the client is limited. If scope is undefined or empty (the default) the client is not limited by scope.<\/p>\n<p><!-- more --><\/p>\n<ul>\n<li>\u7528\u6765\u9650\u5236\u5ba2\u6237\u7aef\u7684\u8bbf\u95ee\u8303\u56f4\uff0c\u5982\u679c\u4e3a\u7a7a\uff08\u9ed8\u8ba4\uff09\u7684\u8bdd\uff0c\u90a3\u4e48\u5ba2\u6237\u7aef\u62e5\u6709\u5168\u90e8\u7684\u8bbf\u95ee\u8303\u56f4<\/li>\n<li>scope\u4e2d\u6587\u7ffb\u8bd1\u5c31\u662f\u4f5c\u7528\u57df\uff0c\u7528\u6765\u9650\u5236\u5ba2\u6237\u7aef\u6743\u9650\u8bbf\u95ee\u7684\u8303\u56f4\uff0c\u53ef\u4ee5\u7528\u6765\u8bbe\u7f6e\u89d2\u8272\u6216\u8005\u6743\u9650\uff0c\u4e5f\u53ef\u4ee5\u4e0d\u8bbe\u7f6e<\/li>\n<\/ul>\n<blockquote>\n<p>\u867d\u7136\u5b98\u65b9\u7f51\u7ad9\u8bf4\u662f\u670d\u52a1\u5668\u7aef\u7684client\u914d\u7f6escopes\u53ef\u4ee5\u4e3a\u7a7a\uff0c\u4f46\u662f\u7ecf\u8fc7\u5b9e\u9645\u64cd\u4f5c\u53ca\u8ddf\u8e2a\u6e90\u7801\u6765\u770bpassword\u6a21\u5f0f\u4e0b\u8c03\u7528<code>\/oauth\/token<\/code>\u7aef\u70b9\u62ff\u7528\u6237token\u4fe1\u606f\u670d\u52a1\u7aef\u53ef\u4ee5\u4e3a\u7a7a\uff0c<br \/>\n\u4f46\u662f\u5ba2\u6237\u7aef\u5fc5\u987b\u4f20<code>scopes<\/code>\uff1brefresh_token\u6a21\u5f0f\u670d\u52a1\u7aef\u53caclient\u7aef\u7684scopes\u90fd\u9700\u8981\u914d\u7f6e\uff0c\u6240\u4ee5\u5373\u4f7f\u6211\u4eec\u7528\u4e0d\u5230scopes\u524d\u540e\u7aef\u6700\u597d\u90fd\u914d\u7f6e\u4e0a<code>scopes(&quot;all&quot;);<\/code><\/p>\n<\/blockquote>\n<p>\u8d44\u6599\u4fe1\u606f\uff1a<a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/stackoverflow.com\/questions\/39756748\/spring-oauth-authorization-server-requires-scope\">https:\/\/stackoverflow.com\/questions\/39756748\/spring-oauth-authorization-server-requires-scope<\/a><\/p>\n<h2>scopes\u7684\u6821\u9a8c\u662f\u5728TokenEndpoint\u8fdb\u884c\u7684<\/h2>\n<pre><code class=\"language-java\">@RequestMapping(\n    value = {&quot;\/oauth\/token&quot;},\n    method = {RequestMethod.POST}\n)\npublic ResponseEntity&lt;OAuth2AccessToken&gt; postAccessToken(Principal principal, @RequestParam Map&lt;String, String&gt; parameters) throws HttpRequestMethodNotSupportedException {\n    if (!(principal instanceof Authentication)) {\n        throw new InsufficientAuthenticationException(&quot;There is no client authentication. Try adding an appropriate authentication filter.&quot;);\n    } else {\n        String clientId = this.getClientId(principal);\n        ClientDetails authenticatedClient = this.getClientDetailsService().loadClientByClientId(clientId);\n        \/\/OAuth2RequestFactory\u63a5\u53e3\u7684\u5b9e\u73b0\u7c7bDefaultOAuth2RequestFactory\u521b\u5efatoken\u8bf7\u6c42\u5bf9\u8c61\n        TokenRequest tokenRequest = this.getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);\n        if (clientId != null &amp;&amp; !clientId.equals(&quot;&quot;) &amp;&amp; !clientId.equals(tokenRequest.getClientId())) {\n            throw new InvalidClientException(&quot;Given client ID does not match authenticated client&quot;);\n        } else {\n            \/\/\u6821\u9a8cscope\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u7aef\u7684\u8bbe\u7f6e\u662f\u5426\u5339\u914d\n            if (authenticatedClient != null) {\n                this.oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);\n            }\n\n            if (!StringUtils.hasText(tokenRequest.getGrantType())) {\n                throw new InvalidRequestException(&quot;Missing grant type&quot;);\n            } else if (tokenRequest.getGrantType().equals(&quot;implicit&quot;)) {\n                throw new InvalidGrantException(&quot;Implicit grant type not supported from token endpoint&quot;);\n            } else {\n                if (this.isAuthCodeRequest(parameters) &amp;&amp; !tokenRequest.getScope().isEmpty()) {\n                    this.logger.debug(&quot;Clearing scope of incoming token request&quot;);\n                    tokenRequest.setScope(Collections.emptySet());\n                }\n\n                if (this.isRefreshTokenRequest(parameters)) {\n                    tokenRequest.setScope(OAuth2Utils.parseParameterList((String)parameters.get(&quot;scope&quot;)));\n                }\n\n                OAuth2AccessToken token = this.getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest);\n                if (token == null) {\n                    throw new UnsupportedGrantTypeException(&quot;Unsupported grant type: &quot; + tokenRequest.getGrantType());\n                } else {\n                    return this.getResponse(token);\n                }\n            }\n        }\n    }\n}<\/code><\/pre>\n<p>\u8fdb\u5165<code>this.oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);<\/code>\u67e5\u770b\u5904\u7406\u903b\u8f91<\/p>\n<p><code>oAuth2RequestValidator<\/code>\u5bf9\u8c61\u662f<code>DefaultOAuth2RequestValidator<\/code>\u7684\u5b9e\u4f8b\uff0c\u8fdb\u5165\u770b\u4e0b\u5b9e\u73b0\u903b\u8f91\uff1a<\/p>\n<pre><code class=\"language-java\">\/\/\n\/\/ Source code recreated from a .class file by IntelliJ IDEA\n\/\/ (powered by Fernflower decompiler)\n\/\/\n\npackage org.springframework.security.oauth2.provider.request;\n\nimport java.util.Iterator;\nimport java.util.Set;\nimport org.springframework.security.oauth2.common.exceptions.InvalidScopeException;\nimport org.springframework.security.oauth2.provider.AuthorizationRequest;\nimport org.springframework.security.oauth2.provider.ClientDetails;\nimport org.springframework.security.oauth2.provider.OAuth2RequestValidator;\nimport org.springframework.security.oauth2.provider.TokenRequest;\n\npublic class DefaultOAuth2RequestValidator implements OAuth2RequestValidator {\n    public DefaultOAuth2RequestValidator() {\n    }\n\n    public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException {\n        this.validateScope(authorizationRequest.getScope(), client.getScope());\n    }\n    \/\/\u6821\u9a8c\u5ba2\u6237\u7aefscope\u548c\u670d\u52a1\u7aefscope\u65b9\u6cd5\n    public void validateScope(TokenRequest tokenRequest, ClientDetails client) throws InvalidScopeException {\n        this.validateScope(tokenRequest.getScope(), client.getScope());\n    }\n    \/\/\u5b9e\u9645\u7684\u6821\u9a8c\u65b9\u6cd5\n    private void validateScope(Set&lt;String&gt; requestScopes, Set&lt;String&gt; clientScopes) {\n        \/\/\u5ba2\u6237\u7aefscope\u4e0d\u4e3a\u7a7a\u5e76\u4e14scope\u5728\u670d\u52a1\u7aefscope\u9650\u5236\u8303\u56f4\u4e4b\u5185\u901a\u8fc7\u6821\u9a8c\n        \/\/\u5ba2\u6237\u7aefscope\u4e0d\u4e3a\u7a7a\uff0c\u670d\u52a1\u7aef\u4e3a\u7a7a\u6216\u4e0d\u8bbe\u7f6e\u901a\u8fc7\u6821\u9a8c\n        if (clientScopes != null &amp;&amp; !clientScopes.isEmpty()) {\n            Iterator var3 = requestScopes.iterator();\n\n            while(var3.hasNext()) {\n                String scope = (String)var3.next();\n                if (!clientScopes.contains(scope)) {\n                    throw new InvalidScopeException(&quot;Invalid scope: &quot; + scope, clientScopes);\n                }\n            }\n        }\n        \/\/\u5982\u679c\u5ba2\u6237\u7aef\u7684scope\u4e3a\u7a7a\u5c06\u4f1a\u629b\u51fa\u5f02\u5e38\uff0c\u6240\u4ee5\u5ba2\u6237\u7aef\u4e0d\u53ef\u4ee5\u4e3a\u7a7a\n        if (requestScopes.isEmpty()) {\n            throw new InvalidScopeException(&quot;Empty scope (either the client or the user is not allowed the requested scopes)&quot;);\n        }\n    }\n}<\/code><\/pre>\n<h2>DefaultOAuth2RequestFactory\u5b9e\u73b0\u7c7b\u7ec4\u88c5token\u8bf7\u6c42\u53ca\u6821\u9a8cscopes<\/h2>\n<pre><code class=\"language-java\">\/\/\n\/\/ Source code recreated from a .class file by IntelliJ IDEA\n\/\/ (powered by Fernflower decompiler)\n\/\/\n\npackage org.springframework.security.oauth2.provider.request;\n\nimport java.util.Collection;\nimport java.util.Collections;\nimport java.util.Iterator;\nimport java.util.LinkedHashSet;\nimport java.util.Map;\nimport java.util.Set;\nimport org.springframework.security.core.authority.AuthorityUtils;\nimport org.springframework.security.oauth2.common.exceptions.InvalidClientException;\nimport org.springframework.security.oauth2.common.util.OAuth2Utils;\nimport org.springframework.security.oauth2.provider.AuthorizationRequest;\nimport org.springframework.security.oauth2.provider.ClientDetails;\nimport org.springframework.security.oauth2.provider.ClientDetailsService;\nimport org.springframework.security.oauth2.provider.DefaultSecurityContextAccessor;\nimport org.springframework.security.oauth2.provider.OAuth2Request;\nimport org.springframework.security.oauth2.provider.OAuth2RequestFactory;\nimport org.springframework.security.oauth2.provider.SecurityContextAccessor;\nimport org.springframework.security.oauth2.provider.TokenRequest;\n\npublic class DefaultOAuth2RequestFactory implements OAuth2RequestFactory {\n    private final ClientDetailsService clientDetailsService;\n    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();\n    private boolean checkUserScopes = false;\n\n    public DefaultOAuth2RequestFactory(ClientDetailsService clientDetailsService) {\n        this.clientDetailsService = clientDetailsService;\n    }\n\n    public void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {\n        this.securityContextAccessor = securityContextAccessor;\n    }\n\n    public void setCheckUserScopes(boolean checkUserScopes) {\n        this.checkUserScopes = checkUserScopes;\n    }\n\n    public AuthorizationRequest createAuthorizationRequest(Map&lt;String, String&gt; authorizationParameters) {\n        String clientId = (String)authorizationParameters.get(&quot;client_id&quot;);\n        String state = (String)authorizationParameters.get(&quot;state&quot;);\n        String redirectUri = (String)authorizationParameters.get(&quot;redirect_uri&quot;);\n        Set&lt;String&gt; responseTypes = OAuth2Utils.parseParameterList((String)authorizationParameters.get(&quot;response_type&quot;));\n        Set&lt;String&gt; scopes = this.extractScopes(authorizationParameters, clientId);\n        AuthorizationRequest request = new AuthorizationRequest(authorizationParameters, Collections.emptyMap(), clientId, scopes, (Set)null, (Collection)null, false, state, redirectUri, responseTypes);\n        ClientDetails clientDetails = this.clientDetailsService.loadClientByClientId(clientId);\n        request.setResourceIdsAndAuthoritiesFromClientDetails(clientDetails);\n        return request;\n    }\n\n    public OAuth2Request createOAuth2Request(AuthorizationRequest request) {\n        return request.createOAuth2Request();\n    }\n    \/\/\u521b\u5efa\u8bf7\u6c42\u5165\u53e3\u7c7b\n    public TokenRequest createTokenRequest(Map&lt;String, String&gt; requestParameters, ClientDetails authenticatedClient) {\n        String clientId = (String)requestParameters.get(&quot;client_id&quot;);\n        if (clientId == null) {\n            clientId = authenticatedClient.getClientId();\n        } else if (!clientId.equals(authenticatedClient.getClientId())) {\n            throw new InvalidClientException(&quot;Given client ID does not match authenticated client&quot;);\n        }\n\n        String grantType = (String)requestParameters.get(&quot;grant_type&quot;);\n        \/\/\u83b7\u53d6\u5ba2\u6237\u7aef\u4f20\u9012\u6216\u8005\u670d\u52a1\u7aef\u7684scope\n        Set&lt;String&gt; scopes = this.extractScopes(requestParameters, clientId);\n        TokenRequest tokenRequest = new TokenRequest(requestParameters, clientId, scopes, grantType);\n        return tokenRequest;\n    }\n\n    public TokenRequest createTokenRequest(AuthorizationRequest authorizationRequest, String grantType) {\n        TokenRequest tokenRequest = new TokenRequest(authorizationRequest.getRequestParameters(), authorizationRequest.getClientId(), authorizationRequest.getScope(), grantType);\n        return tokenRequest;\n    }\n\n    public OAuth2Request createOAuth2Request(ClientDetails client, TokenRequest tokenRequest) {\n        return tokenRequest.createOAuth2Request(client);\n    }\n    \/\/\u5982\u679c\u53c2\u6570\u4e2d\u7684scope\u4e3anull,\u5219\u4ece\u670d\u52a1\u7aef\u914d\u7f6e\u7684scope\u4e2d\u53d6\uff0c\u5e76\u4e14\u6839\u636ethis.checkUserScopes\u7684\u503c\u5224\u65ad\u662f\u5426\u6821\u9a8cscopes\u7684\u6709\u6548\u6027\n    private Set&lt;String&gt; extractScopes(Map&lt;String, String&gt; requestParameters, String clientId) {\n        Set&lt;String&gt; scopes = OAuth2Utils.parseParameterList((String)requestParameters.get(&quot;scope&quot;));\n        ClientDetails clientDetails = this.clientDetailsService.loadClientByClientId(clientId);\n        if (scopes == null || scopes.isEmpty()) {\n            scopes = clientDetails.getScope();\n        }\n\n        if (this.checkUserScopes) {\n            scopes = this.checkUserScopes(scopes, clientDetails);\n        }\n\n        return scopes;\n    }\n\n    private Set&lt;String&gt; checkUserScopes(Set&lt;String&gt; scopes, ClientDetails clientDetails) {\n        if (!this.securityContextAccessor.isUser()) {\n            return scopes;\n        } else {\n            Set&lt;String&gt; result = new LinkedHashSet();\n            Set&lt;String&gt; authorities = AuthorityUtils.authorityListToSet(this.securityContextAccessor.getAuthorities());\n            Iterator var5 = scopes.iterator();\n\n            while(true) {\n                String scope;\n                do {\n                    if (!var5.hasNext()) {\n                        return result;\n                    }\n\n                    scope = (String)var5.next();\n                } while(!authorities.contains(scope) &amp;&amp; !authorities.contains(scope.toUpperCase()) &amp;&amp; !authorities.contains(&quot;ROLE_&quot; + scope.toUpperCase()));\n\n                result.add(scope);\n            }\n        }\n    }\n}<\/code><\/pre>\n<p>\u672c\u6587\u8f6c\u8f7d\u53c2\u8003 <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/blog.csdn.net\/yaomingyang\/column\/info\/41645\" title=\"\u539f\u6587\">\u539f\u6587<\/a> \u5e76\u52a0\u4ee5\u8c03\u8bd5<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5b98\u65b9\u6587\u6863\u8bf4\u660e \u5730\u5740\uff1ahttps:\/\/projects.spring.io\/spring-security-oa [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[354],"tags":[353],"class_list":["post-1424","post","type-post","status-publish","format-standard","hentry","category-spring-security","tag-oauth2"],"_links":{"self":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/comments?post=1424"}],"version-history":[{"count":0,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1424\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/media?parent=1424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/categories?post=1424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/tags?post=1424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}