oauth过滤login_在Spring Boot 2上实现基于过滤器的JWT身份验证与OAuth2 JWT身份验证

As I can understand, OAuth2 framework needs a custom JWT authentication server and I have to create a custom security filter with JWT utility class for the filter-based JWT implementation.

However my question is, what is the best method to implement JWT on Spring Boot 2? filter-based authentication or OAuth2?

Is there any pros and cons based on nature of the clients and application?

As an example; Does OAuth2 authentication provide any advantage, if application manages different clients such as mobile, web, web service etc.?

Note: My question is related to the security of Spring-Boot REST API + web application.

解决方案

I have found a discussion regarding the same matter and I’m extracting the important points below.

From the technical point of view, still I didn’t get a clear idea of which implementation, when and where, but it helps me to take a decision.

I personally hesitate to bring in OAuth when I only need JWT authentication. It feels confusing and honestly I do not want the additional complexity to use @EnableResourceServer etc. Maybe it's just a couple of lines of configuration but if feels like overkill.

Can someone show me why it's so difficult to set up an OAuth2 provider with JWT tokens? If you want JWT tokens all the code is already here. Why is it so hard to just use it?

Answer:

Maybe it's not difficult but 1) it feels unnatural to do so and 2) it can be easier.

Instead of using @EnableResourceServer and other setup I would like something much more easier like:

@Override

protected void configure(HttpSecurity http) throws Exception {

http

.jwt()

.loginUrl(new AntPathRequestMatcher("/api/login", "POST"))

.secret("my-super-duper-secret")

.claimsProvider(new MyClaimsProvider)

What you typically want set to for JWT is the login url (can be defaulted to /login), the secret and optionally some claimsProvider implementation. A default implementation should be provided out of the box adding the username and roles to the claims.

This way it would be very easy to setup JWT in Spring Security.

With OAuth2 there is a "refresh token", so you put the onus on the client to keep the access token live, and the authorization server can check the user account every time it is refreshed. If you start worrying about that kind of problem (which you should) then you will end up implementing something that is getting pretty close to OAuth2, at which point you might say "why didn't we just use OAuth2 in the first place?" Do you see my point?

Isn't the use case described in this issue conceptually different from the OAuth2 case? Here we have a password as an input and JWT token as an output, and JWT token is then used for accessing the resources. The JWT profile for OAuth 2 spec specifies a different case, where a JWT token is an input to the token service and the access token is an output, and access token is then used for accessing the resources.

It will be good to have just simple JWT token base authentication without OAuth which is sometimes complicated for small projects.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值