Spring OAuth 授权服务器需要范围

Question

我们目前正在使用 Spring OAuth 授权服务器，但目前不使用 OAuth 规范中的“范围”参数。这有点让人头疼，因为 Spring OAuth 授权服务器要求在请求授权代码时明确要求该范围。

来自 DefaultOAuth2RequestValidator :

if (requestScopes.isEmpty()) {
    throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)");
}

然而，这直接违反了 OAuth 2.0 规范:

 4.1.1.  Authorization Request    The client constructs the request URI by adding the following    parameters to the query component of the authorization endpoint URI    using the "application/x-www-form-urlencoded" format, per Appendix B:    response_type          REQUIRED.  Value MUST be set to "code".    client_id          REQUIRED.  The client identifier as described in Section 2.2.    redirect_uri          OPTIONAL.  As described in Section 3.1.2.    scope          OPTIONAL.  The scope of the access request as described by          Section 3.3.    state          RECOMMENDED.  An opaque value used by the client to maintain          state between the request and callback.  The authorization          server includes this value when redirecting the user-agent back          to the client.  The parameter SHOULD be used for preventing          cross-site request forgery as described in Section 10.12.

Is there an explicit reason why the Spring Authorization Server does this? I know that I can replace the validator with my own but I'm curious as to why this is the default in case I'm missing any understanding other than it being this way for legacy reasons.

Thank you.

EDIT

For those looking for an alternative implementation that follows the specification, here is mine. It simply checks that if the client is restricted to certain scopes, only then the requested scope is required and that the requested scope must be in the list of assigned client scopes. If the client has no assigned scopes, this implementation assumes they are allowed use of any scope (same assumption that is made for resources). Not quite sure yet the implications of this or if it's genuinely correct. Please let me know if it is not.

import java.util.Set;

import org.apache.commons.collections.CollectionUtils;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.TokenRequest;

public class OAuth2RequestValidator
    implements org.springframework.security.oauth2.provider.OAuth2RequestValidator {

  @Override
  public void validateScope(final AuthorizationRequest authorizationRequest,
      final ClientDetails client)
      throws InvalidScopeException {
    this.validateScope(authorizationRequest.getScope(), client.getScope());
  }

  @Override
  public void validateScope(final TokenRequest tokenRequest, final ClientDetails client)
      throws InvalidScopeException {
    this.validateScope(tokenRequest.getScope(), client.getScope());
  }

  private void validateScope(
      final Set<String> requestScopes, 
      final Set<String> clientScopes) {
    if (!CollectionUtils.isEmpty(clientScopes)) {
      if (CollectionUtils.isEmpty(requestScopes)) {
        throw new InvalidScopeException(
            "Empty scope (either the client or the user is "
              + "not allowed the requested scopes)");
      }

      for (final String scope : requestScopes) {
        if (!clientScopes.contains(scope)) {
          throw new InvalidScopeException("Invalid scope: " + scope, clientScopes);
        }
      }
    }
  }

}

Answer 1

根据 DefaultOAuth2RequestFactory，如果客户端没有提供范围，则将使用为客户端注册的范围。

DefaultOAuth2RequestFactory.java

private Set<String> extractScopes(Map<String, String> requestParameters, String clientId) {
    Set<String> scopes = OAuth2Utils.parseParameterList(requestParameters.get(OAuth2Utils.SCOPE));
    ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);

    if ((scopes == null || scopes.isEmpty())) {
        // If no scopes are specified in the incoming data, use the default values registered with the client
        // (the spec allows us to choose between this option and rejecting the request completely, so we'll take the
        // least obnoxious choice as a default).
        scopes = clientDetails.getScope();
    }

    if (checkUserScopes) {
        scopes = checkUserScopes(scopes, clientDetails);
    }
    return scopes;
}

因此，您可以使用“全部”或类似的默认范围配置您的客户端，例如

public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
            .withClient("client").secret("secret")
            .authorizedGrantTypes("authorization_code", "client_credentials")
            .scopes("all");