Stateless Spring JWT Application + EnableOAuth2Client

為{幸葍}努か 提交于 2020-01-23 17:18:25

问题


I'm 50+ hours deep on this solution and would appreciate any input.

I have a JHipster 4.x generated application using Angular + Spring + JWT stateless authentication (myApp). I am wiring up a 3rd party OAuth 2 interface (battle.net) for authenticated myApp users to OAuth against battle.net so we can prove they own the battle.net account and pull their battle.net user id so the accounts are linked in myApp. So JWT southbound, OAuth2 northbound.

JWT works fine and OAuth appears to work fine. I am struggling because myApp uses a stateless JWT token and Spring @EnableOAuth2Client uses JSESSIONID, and I can't seem to bring the two together so I can relate data returned from the battle.net calls to the myApp Principal. battle.net uses a callback URL upon successful authentication, and I can see valid data in both myApp PrincipalExtractor as well as myApp AuthenticationSuccessHandler, but as there is no JWT token supplied, I have no way to link the battle.net data to the myApp user.

** User Initiates OAuth **

User -- JWT --> myApp /login/battlenet --> battle.net /oauth/*

** battle.net Callback Success **

battle.net --> myApp /callback/battlenet - This is good battlenet data but no JWT token so Principal is anonymousUser.

I see '&redirectUri=xxx&response_type=yyy&code=xxx' being passed to battle.net on the '/oauth/authorize' request. Is there a way to pass linking data to battle.net that is returned on the callback per the OAuth2 spec with @EnableOAuth2Client? I think that would solve my problem.

spring-core-4.3.13 spring-boot-starter-security-1.5.9 spring-security-core-4.2.4 spring-security-oauth2-2.0.14

Thanks!


回答1:


I found a way to pass linking data. I hope it helps someone else. :)

@Bean
public OAuth2ClientContextFilter oauth2ClientContextFilter() {
    OAuth2ClientContextFilter oauth2ClientContextFilter = new OAuth2ClientContextFilter();
    oauth2ClientContextFilter.setRedirectStrategy(new BMAOAuthRedirectStrategy());
    return oauth2ClientContextFilter;
}

class BMAOAuthRedirectStrategy extends DefaultRedirectStrategy {
    @Override
    public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
        url = url.concat("&bma_uuid=MY_LINKING_DATA");
        String redirectUrl = calculateRedirectUrl(request.getContextPath(), url);
        redirectUrl = response.encodeRedirectURL(redirectUrl);
        if (logger.isDebugEnabled()) {
            logger.debug("Custom BMA SecurityConfiguration Redirecting to '" + redirectUrl + "'");
        }
        response.sendRedirect(redirectUrl);
    }
}


来源:https://stackoverflow.com/questions/51456479/stateless-spring-jwt-application-enableoauth2client

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!