“spring-authorization-server”是否适合用于连接到企业提供的现有OIDC服务器?

huangapple go评论66阅读模式
英文:

Is spring-authorization-server a suitable tool for connecting to an existing OIDC server provided by an enterprise?

问题

"spring-authorization-server"是否适用于连接到我企业提供的现有OIDC服务器?看起来"spring-authorization-server"提供了创建和定制这些身份验证流程的能力,我们还可以利用GitHub和Google作为联合(社交)身份验证提供者,但我想确定是否可以连接到我们组织的身份验证服务。

我们在一个隔离区部署了几个Spring Boot应用程序的应用堆栈,并且还在另一个更广泛的网络上部署了它们,可以供更广泛的受众访问。每个网络都有自己的OIDC服务器,因此我设想每个应用程序都与Spring授权服务器进行通信,Spring授权服务器将在每个网络上进行配置,以连接到该网络提供的身份验证服务器。我希望应用程序堆栈(作为整体)尽可能具有可移植性,并且只希望将两个部署环境之间的差异隔离到配置方面,如果可能的话。

我知道我可以在每个应用程序中配置Spring安全的OAuth2客户端,以与我们公司的OIDC服务器通信,但如果可能的话,我宁愿避免这样做。

因此,我的问题是 - 我如何将spring-authorization-server指向外部的OIDC服务器(不是Google或GitHub)?我进行了广泛的搜索,并查看了许多教程和示例。看起来这应该是Spring想要在他们的示例中展示的内容,但它显然没有出现。这让我认为它可能不是设计来做我想做的事情,但我希望我只是遗漏了一些东西。

英文:

Is spring-authorization-server appropriate for connecting to an existing OIDC server provided by my enterprise? It looks like spring-authorization-server provides the ability to create and customize these auth flows, and we can also utilize github and google as federated (social) auth providers, but I am trying to determine if I can connect to my organization's auth service.

We deploy our application stack of several spring boot applications on an enclave, and we also deploy on another network that a wider audience can reach. Each of these networks has its own OIDC server, so I envision having each of the apps talk to the spring auth server, and the spring auth server will be configured on each network for that network's provided auth server. I want the application stack (in its entirety) to be as portable as possible, and I want to isolate the differences between the two deployment environments only to configuration, if possible.

I am aware that I can configure the spring security oauth2 client in each of the apps to talk to my company's OIDC server, but I would prefer to avoid doing it that way, of possible.

So, my question is -- how can I point spring-authorization-server to an external OIDC server (that is not google or github)? I have done extensive searching, and I have looked at many, many tutorials and examples. It seems like this should be something that Spring would want to show in their examples, but it is conspicuously absent. That makes me think that it is not designed to do what I want to do, but I hope that I am just missing something.

答案1

得分: 1

如果您只需要使用现有的企业提供的OIDC服务器,就无需使用spring-authorization-server。

您只需要附加OAuth2客户端。

例如,如果您使用Spring Boot,只需将spring-boot-starter-oauth2-client添加到依赖项中,然后配置spring:security:oauth2:client:registration和spring:security:oauth2:client:provider。这样框架就可以解析用户信息并将其存储在上下文中。

您可以参考这个链接:https://www.baeldung.com/spring-security-openid-connect

英文:

if you just need to utilize the existed enterprise-provided OIDC server, there is no need for you use spring-authorization-server.

All you need is just a attach oauth2 client.

for example, if you use springboot, it just need add spring-boot-starter-oauth2-client to the dependencies, and then config the spring:security:oauth2:client:registration and spring:security:oauth2:client:provider. so the framework will could resolve the user info and store it in its context.

you can refer to this, https://www.baeldung.com/spring-security-openid-connect

答案2

得分: 1

你确实可以通过Spring Authorization Server连接到任何OIDC提供商。实际上,你提出的用例正是SAS设计的完美示例。当然,对于任何架构都存在权衡,通常情况下,Spring团队不会就你的架构做出具体推荐(除非推荐增强安全性的架构,如BFF)。这可能是你找不到这个特定示例的原因之一。

一些示例可能缺失的另一个原因是配置你特定的OIDC提供商而不是通用提供商的详细信息需要只有你才有的知识。在这些情况下,你可以从提供的示例开始,并在使用OAuth2的参考文档作为指南的基础上进行调整。可能会有所帮助的是,你应该将Spring Authorization Server视为配置上游提供商的OAuth2(登录)客户端。

例如,参见配置自定义提供商属性。如果你正在使用符合规范的OpenID Connect 1.0提供商,你只需要在每个环境中提供上游提供商所需的属性(例如在评论中链接到的ch4mp的tutorials中的客户端示例),Spring Security将完成其余工作。请注意,在许多情况下,你只需要为提供商提供一个issuer-uri,它将提供其他属性(通过提供商的${issuer-uri}/.well-known/openid-configuration端点的OpenID Connect 1.0提供商配置响应)。

正如你可能(希望)看到的,Spring Security会处理所有的身份验证需求。如果似乎在Spring Authorization Server的上下文中演示这一点缺失,那是因为它与配置常规的OAuth2登录/客户端示例没有任何区别。

我的具体建议是从如何使用社交登录进行身份验证开始,然后用你的提供商替换Google/GitHub,只使用属性。如前所述,只有当你的提供商不符合规范并需要定制时才会遇到麻烦。在这里阅读参考文档将会有所帮助,也可以随时就此提出更具体的问题。

英文:

You can indeed connect to any OIDC provider via Spring Authorization Server. In fact, the use case you laid out is a perfect example of what SAS is designed for. Of course there are tradeoffs with any architecture, and generally the Spring team will not make specific recommendations on your architecture (except to recommend architectures that enhance security, such as BFF). This may be one reason you find this specific example missing.

Another reason some examples may be missing is that the details of configuring your specific OIDC provider instead of a common provider requires knowledge that only you have. In those cases, you want to start with a provided example, and begin adapting it from there using the reference documentation for OAuth2 as your guide. It may help to know that you should think of Spring Authorization Server as an OAuth2 (Login) Client for the purposes of configuring an upstream provider.

See for example Configuring Custom Provider Properties. If you are working with a spec-compliant OpenID Connect 1.0 provider, you should only need to provide the required properties for your upstream provider in each environment (such as the client examples in ch4mp's tutorials linked in the comments do) and Spring Security will do the rest. Note that in many cases, you only need to provide an issuer-uri for your provider and it will supply the other properties (via the OpenID Connect 1.0 Provider Configuration Response of the ${issuer-uri}/.well-known/openid-configuration endpoint of your provider).

As you can (hopefully) see, Spring Security handles all of the authentication needs for you. If it seems that demonstrating this in the context of Spring Authorization Server is missing, that's because it's not any different than configuring a regular OAuth2 Login/Client example.

My specific recommendation is to start with How-to: Authenticate using Social Login and replace Google/GitHub with your provider using only properties. As mentioned earlier, you will only run into trouble if your provider is not spec-compliant and requires customization. A thorough read of the reference documentation will help here, and feel free to ask additional (more specific) questions on that.

huangapple
  • 本文由 发表于 2023年5月21日 19:51:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/76299774.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定