怎么传递scope
http://localhost:8080/oauth/token?grant_type=password&scope=ROLE_CLIENT_ADMIN+Hidelo&client_id=business&client_secret=business&username=user&password=password 解析的逻辑如下:
DefaultOAuth2RequestFactory#extractScopes(Map<String, String> requestParameters, String clientId)
private Set<String> extractScopes(Map<String, String> requestParameters, String clientId) {
Set<String> scopes = OAuth2Utils.parseParameterList(requestParameters.get(OAuth2Utils.SCOPE));
ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
if ((scopes == null || scopes.isEmpty())) {
// If no scopes are specified in the incoming data, use the default values registered with the client
// (the spec allows us to choose between this option and rejecting the request completely, so we'll take the
// least obnoxious choice as a default).
scopes = clientDetails.getScope();
}
if (checkUserScopes) {
scopes = checkUserScopes(scopes, clientDetails);
}
return scopes;
}public static Set<String> parseParameterList(String values) {
Set<String> result = new TreeSet<String>();
if (values != null && values.trim().length() > 0) {
// the spec says the scope is separated by spaces
String[] tokens = values.split("[\\s+]");
result.addAll(Arrays.asList(tokens));
}
return result;
}Authorization Server怎么处理scope
##checkUserScopes
如果将DefaultOAuth2RequestFactory的checkUserScopes设置为true的话,/oauth/token接口传递的scope,会按+号拆分开,然后与client设置的scope进行对比,如果传递的scope中有client配置的scope中没有的scope,生成的token会自动过滤掉,如果全没有,就会报错invalid_scope;
http://localhost:8080/oauth/token?grant_type=password&scope=ROLE_CLIENT_ADMIN+ROLE_CLIENT_ADMIN2&client_id=business&client_secret=business&username=user&password=password 比如business这个client中只设置了ROLE_CLIENT_ADMIN,没有ROLE_CLIENT_ADMIN2这个scope,当我们使用上边的url是可以获取到token的,但是token中的信息只有ROLE_CLIENT_ADMIN scope。
"oauth2Request": {
"clientId": "business",
"scope": [
"ROLE_CLIENT_ADMIN"
],
"requestParameters": {
"client_id": "business"
},
"resourceIds": [
"Resource2",
"Resource1",
"resource1"
],
"authorities": [],
"approved": true,
"refresh": false,
"redirectUri": null,
"responseTypes": [],
"extensions": {},
"refreshTokenRequest": null,
"grantType": null
}注意
关于checkUserScopes的意义,在四种授权方式中是不同的:
It is sometimes useful to limit the scope of tokens not only by the scopes assigned to the client, but also according to the user’s own permissions. If you use a DefaultOAuth2RequestFactory in your AuthorizationEndpoint you can set a flag checkUserScopes=true to restrict permitted scopes to only those that match the user’s roles. You can also inject an OAuth2RequestFactory into the TokenEndpoint but that only works (i.e. with password grants) if you also install a TokenEndpointAuthenticationFilter - you just need to add that filter after the HTTP BasicAuthenticationFilter. Of course, you can also implement your own rules for mapping scopes to roles and install your own version of the OAuth2RequestFactory. The AuthorizationServerEndpointsConfigurer allows you to inject a custom OAuth2RequestFactory so you can use that feature to set up a factory if you use @EnableAuthorizationServer.
#参考
TokenEndpoint
OAuth2RequestFactory
DefaultOAuth2RequestFactory
spring-security-oauth
