Soon, Spring Authorization Server has released a new version, and the current version is 0.2.3 . What's changed this time? Let's find out.
Version 0.2.3 Features
There are many new features in this update.
Provide default settings for public clients
According to RFC6479 , there is only one client that contains the authorization code ( authorization_code ) and the client authentication method ClientAuthenticationMethod none is public ( Public ) The client, and vice versa, is the Confidential client.
In 0.2.3, the client default configuration ClientSettings is provided for exposed clients.
if (this.clientSettings == null) {
ClientSettings.Builder builder = ClientSettings.builder();
if (isPublicClientType()) {
// @formatter:off
builder
.requireProofKey(true)
.requireAuthorizationConsent(true);
// @formatter:on
}
this.clientSettings = builder.build();
} Let me say more here, the public client is now not simply authorization_code mode authorization, and PKCE must be added.
OAuth2ClientAuthenticationProvider is subdivided
The client authentication methods currently supported by Spring Authorization Server are:
-
client_secret_basic -
client_secret_post -
client_secret_jwt -
private_key_jwt -
none
Previously managed by OAuth2ClientAuthenticationProvider , the responsibilities are now separated.
JwtClientAssertionAuthenticationProvider
Responsible for private_key_jwt and client_secret_jwt , please pay attention to my column for details.
At present, Fat Brother has achieved a complete private_key_jwt certified DEMO .
ClientSecretAuthenticationProvider
The default client_secret_basic and client_secret_post are responsible for it.
PublicClientAuthenticationProvider
Handle the authentication method of the public client mentioned above.
InMemoryOAuth2AuthorizationService optimization
Mainly optimizes the elimination strategy for uncompleted authorization information OAuth2Authorization storage. If the number of storage in memory exceeds 100 , the oldest stored information will be eliminated.
Added demo of federated identities
Federated Identity Pattern (Federated Identity Pattern) For example, you have connected to several identity providers (IDPs) at the same time. You need to jump to different authorization server pages and enter the corresponding passwords. Now these IDPs can be placed in the Spring Authorization Server . Next, delegate to Spring Authorization Server to handle authentication and authorization. In this way, you don't have to jump around, you only need to maintain the relationship of the IDP in the Spring Authorization Server .
Note that this functionality is not native to Spring Authorization Server .
OAuth2TokenGenerator
0.2.3 abstracts the generative model of OAuth2Token :
@FunctionalInterface
public interface OAuth2TokenGenerator<T extends OAuth2Token> {
@Nullable
T generate(OAuth2TokenContext context);
}OAuth2 authorization code uses a unified Token generation model
The generation of code in the authorization code authorization also needs to be realized by OAuth2TokenGenerator , and the implementation class is OAuth2AuthorizationCodeGenerator .
OAuth2 refresh token uses a unified token generation model
The OAuth2 refresh token OAuth2RefreshToken now also needs to be implemented by OAuth2TokenGenerator .
JWT generation uses a unified model
Now the generation of JWT is also implemented by OAuth2TokenGenerator , and the specific implementation class is JwtGenerator .
Support for opaque tokens
Now you can customize one OAuth2TokenGenerator and inject it into Spring IoC to implement custom token generation logic, which means that opaque tokens can also be implemented by customization.
Token introspection filter configuration is now customizable
Before version 0.2.3, the configuration of token introspection was handled by OAuth2AuthorizationServerConfigurer , and now it is handled by a separate configuration class OAuth2TokenIntrospectionEndpointConfigurer .
Dependency upgrade
0.2.3 also upgraded some dependencies, specifically:
- Update to Reactor 2020.0.16
- Update to Spring Security 5.5.5
- Update to Spring Framework 5.3.16
- Update to Spring Boot 2.5.10
Fat Brother will also follow up the changes and gradually upgrade the dependencies.
关注公众号:Felordcn 获取更多资讯
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。