我使用 SpringBoot 2.1.7 和 Okta 提供身份验证服务开发了一个基本的 oauth/oidc 示例。这是我的 Gradle 依赖设置供参考:
plugins {
id 'org.springframework.boot' version '2.1.7.RELEASE'
id 'java'
}
apply plugin: 'io.spring.dependency-management'
sourceCompatibility = '1.8'
configurations {
developmentOnly
runtimeClasspath {
extendsFrom developmentOnly
}
}
repositories {
mavenCentral()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'com.okta.spring:okta-spring-boot-starter:1.2.1'
developmentOnly 'org.springframework.boot:spring-boot-devtools'
runtimeOnly 'com.h2database:h2'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
testImplementation 'org.springframework.security:spring-security-test'
}
Okta 端的所有元素均已正确配置,并且该示例按预期工作。这里几乎是一个“hello world”类型的演示。我想添加一个自定义身份验证提供程序,该提供程序在 Spring 提供的所有其他 AuthenticationProvider 之后执行。我已经使用调试器单步调试了代码,并注意到 Spring 自动配置了几个 AuthenticationProvider。他们是:
- 匿名身份验证提供者
- OAuth2LoginAuthenticationProvider
- OidcAuthorizationCodeAuthenticationProvider
- OAuth2AuthorizationCodeAuthenticationProvider
- Jwt身份验证提供者
我希望将我的身份验证提供商置于第六位。我尝试了以下 WebSecurityConfig,即使配置(AuthenticationManagerBuilder authBuilder)方法触发,它也不起作用:
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.successHandler(customOauthLoginSuccessHandler())
.failureHandler(customOauthLoginFailureHandler())
.and()
.oauth2Client();
http.csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
}
@Bean
public CustomOauthLoginSuccessHandler customOauthLoginSuccessHandler()
{
CustomOauthLoginSuccessHandler handler = new CustomOauthLoginSuccessHandler();
return handler;
}
@Bean
public CustomOauthLoginFailureHandler customOauthLoginFailureHandler()
{
CustomOauthLoginFailureHandler handler = new CustomOauthLoginFailureHandler();
handler.setUseForward(true);
handler.setDefaultFailureUrl("/oautherror");
return handler;
}
}
我的身份验证提供程序永远不会执行。这是我的自定义 AP:
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider
{
private Logger logger = LoggerFactory.getLogger(CustomAuthenticationProvider.class);
private CustomOidcUserService customOidcUserService;
public CustomAuthenticationProvider(CustomOidcUserService customOidcUserService)
{
this.customOidcUserService = customOidcUserService;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
logger.info("CustomAuthenticationProvider executing...");
Object user = authentication.getPrincipal();
if (user instanceof DefaultOidcUser)
{
logger.info("principal is instanceof DefaultOidcUser");
DefaultOidcUser authToken = (DefaultOidcUser) user;
this.customOidcUserService.loadUserByUsername(authToken.getClaims().get("preferred_username").toString());
// add additional info to the Authentication object
}
return authentication;
}
@Override
public boolean supports(Class<?> authentication)
{
return OAuth2LoginAuthenticationToken.class.isAssignableFrom(authentication);
}
}
我的主要目标是添加有关来自旧 Oracle 数据库的经过身份验证的用户的附加信息。无法将此附加信息添加到 Okta 端(在云中)。
请注意,我能够轻松地将成功和失败处理程序添加到身份验证路径中。我觉得 SpringBoot 自动配置的固有特性可能会妨碍我。只需要知道如何解决这个问题。
附加信息,yml 文件:
okta:
oauth2:
issuer: https://myhost.okta.com/oauth2/default
client-id: 123456AAABBBCCC
client-secret: AAAAAAAAABBBBBBBBBBB
