如何在Springboot应用程序的OAuth2客户端中将响应类型设置为id_token

2024-05-19 • 问答

pipeline {
    agent {
        label 'master'
    }
    options {
        timeout(time: 20,unit: 'HOURS') 
    }
    stages {
        stage('Find old Projects') {
            steps {
                sh '''
                find  $JENKINS_HOME/jobs/* -type f -name "nextBuildNumber" -mtime +1550|egrep -v "configurations|workspace|modules|promotions|BITBUCKET"|awk -F/ '{print $6}'|sort -u  >results.txt
                '''
            }
        }
        stage('Generate recipient List') {
            steps {
                sh '''
                        for Project in `cat results.txt`
                        do
                            grep "mail.com" $JENKINS_HOME/jobs/$Project/config.xml|grep -iv "Ansprechpartner" | awk -F'>' '{print $2}'|awk -F'<' '{print $1}'>> recipientList.txt
                        done
                        recipientList=`sort -u recipientList.txt`
                        echo $recipientList                     
                    '''
                }
            }
        stage('Generate list to Shelve or Delete') {
            steps {
                sh '''
                    for Project in `cat results.txt`
                    do
                        if [ -f "$JENKINS_HOME/jobs/$Project/nextBuildNumber" ]; then
                            nextBuildNumber=`cat $JENKINS_HOME/jobs/$Project/nextBuildNumber`
                            if [ $nextBuildNumber == '1' ]; then
                                echo "$JENKINS_HOME/jobs/$Project" >> jobs2Delete.txt
                                echo "$Project" >> jobList2Delete.txt
                            else
                                echo "$JENKINS_URL/job/$Project/shelve/shelveProject" >> Projects2Shelve.txt
                                echo "$Project" >> ProjectsList2Shelve.txt
                            fi
                        fi
                    done
                '''
            }
        }
        stage('Send email') {
            steps {
                        emailext    to:     'admin@mail.com',from:       'jenkins@mail.com',attachmentsPattern: 'ProjectsList2Shelve.txt,jobList2Delete.txt',subject:    "This is a subject",body:       "Hello\n\nAttached two lists of Jobs,to archive or delete,\nPlease Aprove or Abort the Shelving / Delition of the Projects:\n${env.JOB_URL}\n\nBlue Ocean:\n${env.RUN_DISPLAY_URL}\n\nyour Team"
            }
        }
        stage('Aprove or Abort') {
            steps {
                input message: 'OK to Shelve and Delete projects? \n Review the jobs list (Projects2Shelve.txt,jobs2Delete.txt) sent to your email',submitter: 'someone'
            }
        }
        stage('Shelve or Delete') {
            parallel {
                stage('Shelve Project') {
                    steps {
                        withCredentials([usernamePassword(credentialsId: 'XYZ',passwordVariable: 'PA',usernameVariable: 'US')]) {
                        sh '''
                            for job2Shelve in `cat Projects2Shelve.txt`
                            do
                                curl -u $US:$PA $job2Shelve
                            done
                        '''
                        }
                    }
                }
                stage('Delete Project') {
                    steps {
                        sh '''
                            for job2Del in `cat jobs2Delete.txt`
                            do
                                echo "Removing $job2Del"
                            done
                        '''
                    }
                }
            }
        }   
    }
    post {
        success {
            emailext    to:     "$recipientListTest",attachmentsPattern: 'Projects2Shelve.txt,jobs2Delete.txt',subject:    "This is a sbject",body:       "Hallo\n\nAttached two lists of Jobs which archived or deleted due to inactivity of more the 400 days\n\n\nyour Team"
        }
    }
}

生成的经过身份验证的URL将response_type设置为代码，而不是code + id_token

我仍在寻找最佳方法，但已找到解决方法。我添加了 OAuth2AuthorizationRequestResolver 的自定义实现。

public class CustomAuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver {
    private final OAuth2AuthorizationRequestResolver delegatedRequestResolver;

    public B2CPolicyResolver( ClientRegistrationRepository clientRegistrationRepository,String authorizeUri ) {
        this.delegatedRequestResolver = new DefaultOAuth2AuthorizationRequestResolver( clientRegistrationRepository,authorizeUri );
    }

    @Override
    public OAuth2AuthorizationRequest resolve( HttpServletRequest request ) {
        OAuth2AuthorizationRequest req = delegatedRequestResolver.resolve( request );
        return customizeRequest( req,request );
    }

    @Override
    public OAuth2AuthorizationRequest resolve( HttpServletRequest request,String clientRegistrationId ) {
        OAuth2AuthorizationRequest req = delegatedRequestResolver.resolve( request,clientRegistrationId );
        return customizeRequest( req,request );
    }

    private OAuth2AuthorizationRequest customizeRequest( OAuth2AuthorizationRequest request,HttpServletRequest httpRequest ) {
        Map< String,Object > params = new HashMap<>( request.getAdditionalParameters() );
        params.put( OAuth2ParameterNames.RESPONSE_TYPE,request.getResponseType().getValue() + " id_token" );
        return OAuth2AuthorizationRequest
                .from( request )
                .additionalParameters( params )
                .build();
    }
}

然后在SecurityConfig中配置此类

@Configuration
@EnableWebSecurity
public class SecurityAutoConfig extends WebSecurityConfigurerAdapter {

@Autowired
private ClientRegistrationRepository clientRegistrationRepository;

    @Override
        protected void configure( HttpSecurity http ) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/login","/oauth2/token","/oauth2/**").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .oauth2Login()
                    .authorizationEndpoint()
                        .authorizationRequestResolver(
                                new B2CPolicyResolver(
                                        clientRegistrationRepository,"/oauth2/authorization"
                                )
                        );
        }
}

你很近。 :)我希望在引导2.1中使用安全5.1可以有一种更清洁的方法

private OAuth2AuthorizationRequest customizeRequest( OAuth2AuthorizationRequest request) throws IllegalAccessException {
    final OAuth2AuthorizationRequest newRequest = OAuth2AuthorizationRequest.from(request).build();
    FieldUtils.writeField(newRequest.getResponseType(),"value","id_token",true);
    return newRequest;
}

无法覆盖responeType中的OAuth2AuthorizationRequest。替换OAuth2AuthorizationRequest似乎很麻烦，因此我们在这里必须进行一些反思。 FieldUtils是公共语言3的一部分。

如何在Springboot应用程序的OAuth2客户端中将响应类型设置为id_token

dilixinxi123 回答：如何在Springboot应用程序的OAuth2客户端中将响应类型设置为id_token

大家都在问