JWT with Spring OAuth2

不问归期 提交于 2020-01-11 09:58:09

问题


I have created the Spring Authorization Server which issues JWT-s and a Resource Server which checks the JWT, its claims and permissions on the Authorization Server. To do so, I have followed this article.

My question is why I need to send the Authorization header with HTTP Basic authorization and Base64 encoded username/password (ClientId:ClientSecret) in get token request? I have seen JWT implementations where only username and password are required.


回答1:


It is part of the specification, see RFC 6749:

2.3 Client Authentication

If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.

Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).

The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.

The client MUST NOT use more than one authentication method in each request.

By default Spring Security OAuth 2.0 protects the token endpoint, see OAuth 2 Developers Guide:

The token endpoint is protected for you by default by Spring OAuth in the @Configuration support using HTTP Basic authentication of the client secret.

But it seems, that you can disable the client authentication:

  • Spring Security OAuth 2.0 - client secret always required for authorization code grant
  • Is it possible to get an access_token from Spring OAuth2 server without client secret?
  • Spring Security OAuth 2.0 with no client_secret



回答2:


That is the structure of the JWT token:

HMACSHA256(
      base64UrlEncode(header) + "." +
      base64UrlEncode(payload),
    secret

    )


As you are doing a JWT implementation all the 3 parts must be there: header.payload.secret

Maybe in the implementation you have seen - the server was working with Default Secret



来源:https://stackoverflow.com/questions/43388546/jwt-with-spring-oauth2

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!