As I can understand, OAuth2 framework needs a custom JWT authentication server and I have to create a custom security filter with JWT utility class for the filter-based JWT implementation.
However my question is, what is the best method to implement JWT on Spring Boot 2? filter-based authentication or OAuth2?
Is there any pros and cons based on nature of the clients and application?
As an example; Does OAuth2 authentication provide any advantage, if application manages different clients such as mobile, web, web service etc.?
Note: My question is related to the security of Spring-Boot REST API + web application.
解决方案
I have found a discussion regarding the same matter and I’m extracting the important points below.
From the technical point of view, still I didn’t get a clear idea of which implementation, when and where, but it helps me to take a decision.
I personally hesitate to bring in OAuth when I only need JWT authentication. It feels confusing and honestly I do not want the additional complexity to use @EnableResourceServer etc. Maybe it's just a couple of lines of configuration but if feels like overkill.
Can someone show me why it's so difficult to set up an OAuth2 provider with JWT tokens? If you want JWT tokens all the code is already here. Why is it so hard to just use it?
Answer:
Maybe it's not difficult but 1) it feels unnatural to do so and 2) it can be easier.
Instead of using @EnableResourceServer and other setup I would like something much more easier like:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.jwt()
.loginUrl(new AntPathRequestMatcher("/api/login", "POST"))
.secret("my-super-duper-secret")
.claimsProvider(new MyClaimsProvider)
What you typically want set to for JWT is the login url (can be defaulted to /login), the secret and optionally some claimsProvider implementation. A default implementation should be provided out of the box adding the username and roles to the claims.
This way it would be very easy to setup JWT in Spring Security.
With OAuth2 there is a "refresh token", so you put the onus on the client to keep the access token live, and the authorization server can check the user account every time it is refreshed. If you start worrying about that kind of problem (which you should) then you will end up implementing something that is getting pretty close to OAuth2, at which point you might say "why didn't we just use OAuth2 in the first place?" Do you see my point?
Isn't the use case described in this issue conceptually different from the OAuth2 case? Here we have a password as an input and JWT token as an output, and JWT token is then used for accessing the resources. The JWT profile for OAuth 2 spec specifies a different case, where a JWT token is an input to the token service and the access token is an output, and access token is then used for accessing the resources.
It will be good to have just simple JWT token base authentication without OAuth which is sometimes complicated for small projects.
扫一扫
1376
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
