英文:
SpringBoot 3 + ReactJS + Auth0
问题
我刚刚开始一个全新的项目,决定使用Kotlin和SpringBoot 3作为后端,前端使用ReactJS,身份验证使用Auth0。尽管我很喜欢SpringBoot,但在这种设置下,我对如何进行身份验证感到非常困惑。
让我详细说明一些关键的事情:
- 我想利用Auth0的功能来注册用户/社交登录等,但我需要存储更多关于用户的信息。
- 我想创建更复杂的关系,使用户能够邀请其他人加入组织。
- WebSecurityConfigurerAdapter似乎已经过时,没有很多资源明确解释如何在SpringBoot 3中配置FilterChain。而且,许多资源还专注于Spring作为身份提供者,进一步复杂化了事情。
- 在使用Auth0验证JWT之后,我需要从我的数据库中获取有关用户的信息(毕竟我存储了一些关于用户的附加信息)。
有人能否向我解释在考虑到我提到的前提条件的情况下,在新的SpringBoot中创建安全配置的步骤?
英文:
I'm just starting a new project from scratch and decided for Kotlin with SpringBoot 3 with ReactJS on frontend and Auth0 as Identity Provider. As far as I like SpringBoot I get seriously confused with what is the recommended way of doing auth in such a setup.
Let me elaborate on couple of crucial things:
- I want to utilise Auth0 functionalities for registering users / social login etc. BUT I need to store more information about the user
- I want to create more sophisticated relations so that users have organisations they can invite other people to.
- WebSecurityConfigurerAdapter seems to be deprecated and there are not many sources that clearly explain how to configure that FilterChain in SpringBoot 3. What is more, many of them focus then on Spring being an Identity Provider which further complicates things.
- After JWT is validated with Auth0, I need information about the user also from my database (I store some additional informations about the user after all)
Can someone explain to me the steps of creating Security Configuration in new SpringBoot having in mind the prerequisites I stated?
答案1
得分: 1
我还为SPAs和Spring编写了教程。它持续更新到最新版本(目前依赖于Spring Boot 3.1.0)。
我使用spring-cloud-gateway作为SPA(通过会话进行安全保护)和Spring资源服务器(通过OAuth2访问令牌进行安全保护)之间的BFF。
在我的教程中,BFF被配置为接受来自3个不同来源的身份,其中之一是Auth0。
出于安全原因,JWT永远不会传递到SPA。用户信息由后端提供(在我的教程中是BFF,但可以是其背后的任何资源服务器)。您可以在返回用户信息有效负载之前,从此服务中检索任何业务数据并附加到响应中...
SPA是使用Angular编写的,但由于与OAuth2无关,因此将其适应React非常简单。
英文:
I also have written a tutorial for SPAs and Spring. It is continuously updated to latest versions (currently depends on Spring Boot 3.1.0).
I use spring-cloud-gateway as BFF between the SPA (secured with sessions) and the Spring resource server (REST API secured with OAuth2 access tokens).
The BFF in my tutorial is configured to accept identities from 3 different sources, one of the 3 being Auth0.
For security reasons, the JWT never reaches the SPA. User info is served by the backend (the BFF in my tutorial, but could be any resource server behind it). You can retrieve whatever business data and attach it to the response in this service, before returning the user info payload...
The SPA is written in Angular, but as there is nothing related to OAuth2 in it, adapting it to React is straight forward.
答案2
得分: 0
我去年创建了一个示例,展示了如何在React和Spring Boot与Auth0一起使用。
它在服务器上使用Auth代码流,并使用传统的会话cookie来保护与客户端的通信。这是在这两个框架之间实施OAuth的最安全方式,因为访问令牌永远不会存在于浏览器中。
英文:
I created an example last year that shows how to use React and Spring Boot together with Auth0.
It uses Auth code flow on the server and uses good ol' session cookies to secure communications with the client. This is the most secure way to implement OAuth between the two frameworks because an access token never lives in the browser.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论