从访问令牌字符串中提取Spring OAuth2的主体。

huangapple go评论75阅读模式
英文:

Spring OAuth2 extract Principal from access token string

问题

我有在控制器中收到的访问令牌,需要从字符串访问令牌中提取主体。在方法参数中不使用身份验证,因为此对象将是不同的用户。简单解码令牌应该有所帮助。有人知道如何仅从访问令牌字符串中执行吗?
示例

@RequestMapping(value = "create", method = RequestMethod.POST)
public ResponseEntity create(Authentication authentication, @RequestParam("access_token") String accessToken) {
    // 从accessToken变量中提取Principal
}
英文:

I have access token received in controller and I need to extract Principal from string access token. Without using Authentication in method argument since in this object will be different user. Simple decoding of token should help. Anyone know how to do that from just access token string?
Example

@RequestMapping(value = "create", method = RequestMethod.POST)
public ResponseEntity create(Authentication authentication,@RequestParam("access_token") String accessToken) {
    //extract Principal from accessToken variable
}

答案1

得分: 1

I manage to get Principal from access token string.

@Autowired
private TokenStore tokenStore;

@RequestMapping(value = "create", method = RequestMethod.POST)
public ResponseEntity create(Authentication authentication, @RequestParam("access_token") String accessToken) {
tokenStore.readAuthentication(accessToken).getPrincipal();
}

英文:

After some time I manage to get Principal from access token string.

@Autowired
private TokenStore tokenStore;

@RequestMapping(value = "create", method = RequestMethod.POST)
public ResponseEntity create(Authentication authentication,@RequestParam("access_token") String accessToken) {
    tokenStore.readAuthentication(accessToken).getPrincipal();
}

答案2

得分: 0

I don't know why you're sending another user's token in the request, which I find it dangerous because access tokens contain sensitive information (credentials). I advise you to change the way you identify the second user by creating something like an action or identification token. The schema you define should contain the user's ID and the information you want to send.

In case you have another philosophy that you didn't mention, and assuming the access token is a JWT, you must first validate it using the algorithm and the private key used to hash it. If it's a valid token, you can access its content.

@RequestMapping(value = "create", method = RequestMethod.POST)
public ResponseEntity create(Authentication authentication, @RequestParam("access_token") JwtAuthenticationToken accessToken) {
   // Validate your accessToken
   // To access the token details
   accessToken.getTokenAttributes().get(A_KEY_IN_YOUR_TOKEN)
}

Check this class.

英文:

I don't know why you're sending another user's token in the request, which i find it dangerous cause access token contain sensible information ( credentials ). i advise you to change the way you identify the second user by creating something like action or identification token ( the schema you define will contain the id of the user and the information you want to send ).

in case you have another phylosophhy that you didn't mention and assuming the access token is a Jwt, you must first validate it, using the algorithm and the private key used to hash it.if it's a valid token, you can access its content.

@RequestMapping(value = "create", method = RequestMethod.POST)
public ResponseEntity create(Authentication authentication,@RequestParam("access_token") JwtAuthenticationToken accessToken) {
   // validate your accessToken
   // to access the token details
   accessToken.getTokenAttributes().get(A_KEY_IN_YOUR_TOKEN)
}

check this class

huangapple
  • 本文由 发表于 2020年8月11日 21:07:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/63358824.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定