spring-boot - 如何在 redis-session 中持久化 OAuth2AuthorizedClient

Question

我的项目使用带有 springboot session 的 redis session 和 Spring 安全 5.1.10 .我刚刚迁移了旧的 oauth2 实现。之前，当我重新启动应用程序时，我仍然拥有 access_token 和 refresh_token。使用此实现，用户已登录，但我丢失了 AuthorizedClients，因此 loadAuthorizedClient 函数在重新启动后返回 null。同样在生产中，我们有许多具有相同应用程序的容器。是否有任何 springboot 标准方法来实现这一目标？比如注册一些bean什么的。

应用程序.yml

    ...

    session:
        store-type: redis
        redis:
            namespace: spring:session:${spring.application.name}
    redis:
        host: ${redissession.host}
        password: ${redissession.password}
        port: ${redissession.port}

    security:
        oauth2:
            client:
                registration:
                    biocryptology:
                        provider: example
                        client-id: client
                        client-secret: xxx
                        client-authentication-method: basic
                        authorization-grant-type: authorization_code
                        redirect-uri-template: "{baseUrl}/login"
                        scope:
                            - openid
                provider:
                    example:
                        issuer-uri: https://....
    ...

Controller .java

        @Autowired
        private OAuth2AuthorizedClientService clientService;

        @GetMapping("/user")
        public String getOidcUserPrincipal() throws InvalidSessionException {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (!(authentication.getPrincipal() instanceof OidcUser)) {
                throw new InvalidSessionException();
            }

            OidcUser principal = ((OidcUser) authentication.getPrincipal());
            LOG.info("oidc: {}", principal.getName());

            OAuth2AuthenticationToken oauth2Token = (OAuth2AuthenticationToken) authentication;
            LOG.info("authentication: {}", oauth2Token);
            OAuth2AuthorizedClient client = clientService
                    .loadAuthorizedClient(oauth2Token.getAuthorizedClientRegistrationId(), authentication.getName());
            LOG.info("client: {}", client);

            return "logged";

        }

目标是获取跨容器的 access_token 和 refresh_token，没有 OAuth2AuthorizedClientService 的任何其他方式？

编辑:

        <!-- Spring -->
        <spring-cloud.version>Greenwich.SR5</spring-cloud.version>

Answer 1

注册一个 bean 就成功了，它将它保存在 session 中，但随后 OAuth2AuthorizedClientService每种情况都会发生故障，需要在 session 中直接或使用 OAuth2AuthorizedClientRepository 进行搜索的解决方法自动连线:

    @Bean
    public OAuth2AuthorizedClientRepository authorizedClientRepository() {
        return new HttpSessionOAuth2AuthorizedClientRepository();
    }

Controller .java

    @Autowired
    private OAuth2AuthorizedClientRepository clientRepository;

    @GetMapping("/user")
    public Map<String, Object> getOidcUserPrincipal(HttpServletRequest request) throws InvalidSessionException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!(authentication.getPrincipal() instanceof OidcUser)) {
            throw new InvalidSessionException();
        }

        OidcUser principal = ((OidcUser) authentication.getPrincipal());

        OAuth2AuthorizedClient client = clientRepository
                .loadAuthorizedClient(oauth2Token.getAuthorizedClientRegistrationId(), authentication, request);
        LOG.info("client: {}", client);
        if (Objects.nonNull(client)) {
            String token = client.getAccessToken().getTokenValue();
            String refreshtoken = client.getRefreshToken().getTokenValue();

            LOG.info("token: {} {}", token, refreshtoken);
        }

        return principal.getClaims();
    }