我们目前使用Spring OAuth授权服务器,但目前不使用OAuth规范中的“scope”参数。由于Spring OAuth授权服务器要求在请求授权代码时明确要求范围,因此这有点痛苦。Spring OAuth授权服务器需要范围
从DefaultOAuth2RequestValidator:
if (requestScopes.isEmpty()) {
throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)");
}
然而,这直接违背了的OAuth 2.0规范:
4.1.1. Authorization Request The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per Appendix B: response_type REQUIRED. Value MUST be set to "code". client_id REQUIRED. The client identifier as described in Section 2.2. redirect_uri OPTIONAL. As described in Section 3.1.2. scope OPTIONAL. The scope of the access request as described by Section 3.3. state RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.
是否有一个明确的原因,春节授权服务器做到这一点?我知道我可以用我自己的替代验证器,但我很好奇,为什么这是默认情况下,如果我遗漏任何理解,而不是因为遗留原因这样做。
谢谢。
编辑
对于那些寻找下面的规范的替代实现,这里是我的。它只是检查,如果客户端被限制在某些范围内,则只需要请求的范围,并且所请求的范围必须位于分配的客户端范围列表中。如果客户端没有指定范围,则此实现假定允许使用任何范围(与资源相同的假设)。还不确定这个或者它是否真的正确。如果不是,请告诉我。
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.TokenRequest;
public class OAuth2RequestValidator
implements org.springframework.security.oauth2.provider.OAuth2RequestValidator {
@Override
public void validateScope(final AuthorizationRequest authorizationRequest,
final ClientDetails client)
throws InvalidScopeException {
this.validateScope(authorizationRequest.getScope(), client.getScope());
}
@Override
public void validateScope(final TokenRequest tokenRequest, final ClientDetails client)
throws InvalidScopeException {
this.validateScope(tokenRequest.getScope(), client.getScope());
}
private void validateScope(
final Set<String> requestScopes,
final Set<String> clientScopes) {
if (!CollectionUtils.isEmpty(clientScopes)) {
if (CollectionUtils.isEmpty(requestScopes)) {
throw new InvalidScopeException(
"Empty scope (either the client or the user is "
+ "not allowed the requested scopes)");
}
for (final String scope : requestScopes) {
if (!clientScopes.contains(scope)) {
throw new InvalidScopeException("Invalid scope: " + scope, clientScopes);
}
}
}
}
}
这看起来已经被报告为一个错误,但没有任何回应。 https://github.com/spring-projects/spring-security-oauth/issues/775 – loesak