Shulou(Shulou.com)06/03 Report--

This article mainly introduces Spring Security 5.5 support OAuth2.0 fifth authorization mode is what, has a certain reference value, interested friends can refer to, I hope you read this article after a lot of gains, let Xiaobian take you to understand.

Spring Security 5.5 has been released, mainly involving OAuth3.0 and SAML2.0 protocols. One of the highlights is jwt-bearer, another licensing mode that supports OAuth3.0.

JWT Bearer Licensing Mode

OAuth3.0, which typically appears in the major technology communities, has four licensing modes:

grant_type=authorization_code.

hidden mode response_type=token.

Password mode grant_type=password.

credential pattern grant_type=client_credentials.

In fact, Bearer Token is used in these modes, and even Token directly uses JWT technology. So how is it defined as an authorization pattern?

JWT Bearer Licensing

First of all, the jwt-bearer authentication request should also carry the grant_type parameter to indicate the authorization mode used:

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

This grant_type is a bit long! It also carries the assertion parameter, which can only be a JWT, and optionally the scope parameter to indicate the scope of the request. Based on the above description, a jwt-bearer type authorization pattern looks something like this:

POST /token/oauth3 HTTP/1.1 Host: felord.cn Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJhbGwiLCJhdWQiOiJGZWxvcmRjbiIsInJv. ER2U4CAt1xYxXBmnVQsrirkMwPwxwjWxjs

In fact, that is to say, if the user wants to request authorization, he must first have a JWT. I personally estimate that it may be a third-party JWT credential that can be trusted by the authorization server. After the credential verification, the user can obtain corresponding authorization to access specific resources.

client authentication

RFC7523 also specifies that JWT Bearer can also be used for client authentication. The client carries a client_assertion_type parameter:

client_assertion_type=urn：ietf：params：oauth：client-assertion-type：jwt-bearer

Similar to Beaerer JWT authorization, it also carries a client_assertion parameter, which also carries a JWT. Examples of requests are as follows:

POST /token/oauth3 HTTP/1.1 Host: felord.cn Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A client-assertion-type%3Ajwt-bearer& client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJhbGwiLCJhdWQiOiJGZWxvcmRjbiIsInJv. ER2U4CAt1xyxXBmnVQsrirkMwPwxwjWxjs Scene

So what's the scene? According to RFC723, this pattern is used when a client wishes to acquire an Access Token using an existing, trusted relationship expressed using JWT semantics, without requiring a direct User Approval step at the authorization server.

In addition, jwt-bearer is also defined as a client authentication mechanism to determine whether the client's identity is compliant. Client authentication using JWT and client authorization using JWT are separate behaviors. Of course, these two behaviors can be used in combination or separately. Client authentication using JWT is simply an alternative to client authentication to token endpoints.

Thank you for reading this article carefully. I hope that Xiaobian will share "Spring Security 5.5 supports OAuth2.0. What is the fifth authorization mode?" This article is helpful to everyone. At the same time, I hope that everyone will support it a lot. Pay attention to the industry information channel. More relevant knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.