OAuth 2.0 with Spring Security #jjug_ccc #jjug_ccc_b / oauth2-with-spring-security

$
$"4"3&"- *OD"MMSJHIUTSFTFSWFE
#jjug_ccc
0"VUI
XJUI
4QSJOH4FDVSJUZ
ג
ΧαϨΞϧଟాਅහ
೥݄೔
++6($$$'BMM

View Slide

$
#jjug_ccc
͜ͷηογϣϯʹ͍ͭͯ
▸ 4QSJOH4FDVSJUZͷ0"VUIؔ࿈ػೳΛɺ
࢓૊Έ΋ؚΊͯ෼͔Γ΍͘͢ղઆ͠·͢
▸ αϯϓϧίʔυ
▸ IUUQTHJUIVCDPN.BTBUPTIJ5BEBPBVUIXJUI
TQSJOHTFDVSJUZ

View Slide

$
#jjug_ccc
ඞཁͳલఏ஌ࣝ
▸ ͜ͷηογϣϯ͸ʲதڃऀ޲͚ʳͰ͢
▸ ҎԼͷલఏ஌͕ࣝඞཁͰ͢
▸ "VUIPSJ[BUJPO$PEF(SBOU'MPXΛઆ໌Ͱ͖Δ
▸ 4QSJOH4FDVSJUZΛ࢖ͬͨ͜ͱ͕͋Δ
▸ 0"VUIػೳͰͳͯ͘΋0,

View Slide

$
#jjug_ccc
ઌʹ݁࿦
▸ 4QSJOH4FDVSJUZ಺෦ͷRestTemplateʹ͸ɺ
λΠϜΞ΢τ͕ઃఆ͞Ε͍ͯͳ͍͜ͱ͕
΄ͱΜͲ
ˠͪΌΜͱλΠϜΞ΢τΛઃఆ͠·͠ΐ͏

View Slide

$
#jjug_ccc
0"VUIͷجૅΛ஌Γ͍ͨํ͸ʜ

https://www.slideshare.net/masatoshitada7/oauth-20spring-security-51-121418814

View Slide

$
#jjug_ccc
4QSJOH4FDVSJUZͷΞʔΩςΫνϟΛ஌Γ͍ͨํ͸ʜ

https://www.slideshare.net/masatoshitada7/spring-security-meetup

View Slide

$
#jjug_ccc
ࣗݾ঺հ
▸ ଟాਅහʢ[email protected]ʣ
▸ ݚमτϨʔφʔ!ΧαϨΞϧ
▸ +BWB(PMBOH.JDSPTFSWJDFT
,VCFSOFUFT1ZUIPOػցֶश
▸ 7.XBSFೝఆߨࢣ
▸ ೔ຊ4QSJOHϢʔβձελοϑ

View Slide

$
#jjug_ccc
ઌʹ͓࿳ͼ͓͖ͯ͠·͢
▸ ່ࢯʢϲ݄ʣͷ੠͕ͱ͜ΖͲ͜ΖೖΔ͔΋
͠Ε·ͤΜ

View Slide

$
#jjug_ccc
גࣜձࣾΧαϨΞϧ
▸ ଞࣾʹ͸ແ͍৭ʑͳϓϩάϥϛϯάݴޠͷ
ݚमΛఏڙ͍ͯ͠·͢ʂ

/&8

View Slide

$
#jjug_ccc
4QSJOHܥίʔε

▸ جૅ͔Βͷ4QSJOH#PPUʹΑΔ
8FCΞϓϦέʔγϣϯ։ൃʢ೔ؒʣ
▸ 7.XBSF5BO[Vೝఆ4QSJOH$PSF5SBJOJOHʢ೔ؒʣ
▸ 7.XBSF5BO[Vೝఆ4QSJOH$MPVE%FWFMPQFSʢ೔ؒʣ
▸ جૅ͔Βͷ4QSJOH4FDVSJUZʢ೔ؒʣ
▸ جૅ͔Βͷ4QSJOH#BUDIʢ೔ؒʣ

View Slide

$
#jjug_ccc
৽نίʔεϦϦʔε

(PݴޠʹΑΔ
Ϋϥ΢υωΠςΟϒΞϓϦέʔγϣϯ։ൃ
جຊจ๏ɺ8FCΞϓϦέʔγϣϯɺϚΠΫϩαʔϏε
1ZUIPOೖ໳
جຊจ๏ɺϥΠϒϥϦͷར༻ɺ8FCεΫϨΠϐϯά
1ZUIPOʹΑΔػցֶशೖ໳ʢԾʣ

View Slide

$
#jjug_ccc
ΦϯϥΠϯݚमɺ͸͡Ί·ͨ͠

ߨࢣ
डߨऀ༷
▸ ʮֶशޮՌ͸௨ৗͱมΘΒͳ͍ʯ
ͱ޷ධͰ͢ʂ

View Slide

$
#jjug_ccc
໨࣍
▸ 0"VUIΛβοͱ෮श
▸ ΫϥΠΞϯτͷجຊػೳͱߏ଄
▸ ΫϥΠΞϯτͰͷ8FC$MJFOUͷར༻
▸ Ϧιʔεαʔόʔͷجຊػೳͱߏ଄
▸ 5PLFO*OUSPTQFDUJPO
▸ 5PLFO1SPQBHBUJPO
▸ ·ͱΊ

View Slide

$
#jjug_ccc
0"VUIͱ͸
▸ ೝՄͷྲྀΕΛنఆͨ͠ϓϩτίϧ
▸ 3'$ ೔ຊޠ൛΋͋Δ

▸ 0"VUIͱ͸ผ෺
▸ 4USVUTͱ4USVUT͘Β͍ҧ͏
▸ ೝূϓϩτίϧ0QFO*%$POOFDU
ͷϕʔεʹͳ͍ͬͯΔ

View Slide

$
#jjug_ccc
0"VUIͷొ৔ਓ෺
ᶃ ϦιʔεΦʔφʔ 3FTPVSDF0XOFS

▸ ৘ใͷ࣋ͪओɻଟ͘ͷέʔεͰ͸ਓؒɻ
ᶄ Ϧιʔεαʔόʔ 3FTPVSDF4FSWFS

▸ ৘ใΛอ࣋͢Δαʔόʔɻ
ᶅ ΫϥΠΞϯτ $MJFOU

▸ Ϧιʔεαʔόʔ͔Β΋Βͬͨ৘ใΛѻ͏ΞϓϦέʔγϣϯɻ
ᶆ ೝՄαʔόʔ "VUIPSJ[BUJPO4FSWFS

▸ ΞΫηετʔΫϯΛൃߦ͢Δαʔόʔɻ

View Slide

$
#jjug_ccc
5XJUUFSͷྫͰొ৔ਓ෺·ͱΊ

twitter.com
͜Μʹͪ͸! 
ָ͠Έͩͳʔ
Ϧιʔε 
Φʔφʔ
ΫϥΠΞϯτ
Ϧιʔεαʔόʔ
ೝՄαʔόʔ
ೝՄ
ΞΫηε 
τʔΫϯ 
෇༩
ΞΫηε 
τʔΫϯ
ͭͿ΍͖
※ຊ౰͸Twitter͸OAuth 1.0Λ࢖͍ͬͯ·͢

View Slide

$
#jjug_ccc
άϥϯτλΠϓʢΞΫηετʔΫϯͷऔಘํ๏ʣ
ᶃ ೝՄίʔυ
▸ ओʹαʔόʔαΠυ8FCΞϓϦέʔγϣϯ
ᶄ ΠϯϓϦγοτʢඇਪ঑ʣ
▸ ओʹΫϥΠΞϯταΠυ8FCΞϓϦέʔγϣϯ
ᶅ ϦιʔεΦʔφʔύεϫʔυΫϨσϯγϟϧʢඇਪ঑ʣ
▸ ओʹެࣜͷεϚϗΞϓϦͳͲ
ᶆ ΫϥΠΞϯτΫϨσϯγϟϧ
▸ ΫϥΠΞϯτࣗ਎ͷ৘ใऔಘ

View Slide

$
#jjug_ccc
<ࢀߟ>0"VUIͷ࢓༷ࡦఆ͕ਐߦத
▸ 0"VUIͷ࢓༷ʴͦͷଞΛ࠶੔ཧͨ͠΋ͷ
ˠطʹඇਪ঑ͱͳ͍ͬͯΔػೳ͕࡟আ͞ΕΔ
▸ ΠϯϓϦγοτ
▸ ϦιʔεΦʔφʔύεϫʔυΫϨσϯγϟϧ
▸ ৄࡉ͸ͪ͜Βͷهࣄ΁
▸ 0"VUIͷඪ४Խ͕ਐΊΒΕ͍ͯ·͢
[email protected]
▸ 4QSJOH4FDVSJUZͷ0"VUIରԠ༧ఆ͸ɺݱ࣌఺Ͱ͸ෆ໌

View Slide

$
#jjug_ccc
ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β※
※Webϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢
ᶃॳճΞΫηε

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β※
ᶃॳճΞΫηε
ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β※
ᶃॳճΞΫηε
ᶅೝՄը໘

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β※
ᶃॳճΞΫηε
ᶅೝՄը໘
ᶆೝՄ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β※
ᶃॳճΞΫηε
ᶇೝՄίʔυൃߦʴϦμΠϨΫτ
ᶅೝՄը໘
ᶆೝՄ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β※
ᶃॳճΞΫηε
ᶈೝՄίʔυ
ᶅೝՄը໘
ᶆೝՄ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β※
ᶃॳճΞΫηε
ᶈೝՄίʔυ
ᶉΞΫηετʔΫϯ
ᶅೝՄը໘
ᶆೝՄ

View Slide

$
#jjug_ccc
ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β
੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε 
αʔόʔ
ᶃϦΫΤετ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β
੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε 
αʔόʔ
ᶃϦΫΤετ
ᶄϦιʔεʹΞΫηε 
with ΞΫηετʔΫϯ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β
੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε 
αʔόʔ
ᶃϦΫΤετ
ᶅΞΫηε 
ɹτʔΫϯ 
ɹݕূ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β
੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε 
αʔόʔ
ᶃϦΫΤετ
ᶅΞΫηε 
ɹτʔΫϯ 
ɹݕূ
ᶆݕূ݁ՌΛฦ͢

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β
੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε 
αʔόʔ
ᶃϦΫΤετ
ᶅΞΫηε 
ɹτʔΫϯ 
ɹݕূ
ᶆݕূ݁ՌΛฦ͢
ᶇݕূ݁ՌΛ 
ɹ֬ೝ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β
੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε 
αʔόʔ
ᶃϦΫΤετ
ᶅΞΫηε 
ɹτʔΫϯ 
ɹݕূ
ᶆݕূ݁ՌΛฦ͢
ᶈϨεϙϯε
ᶇݕূ݁ՌΛ 
ɹ֬ೝ

View Slide

$
#jjug_ccc

ೝՄαʔόʔ
ΫϥΠΞϯτ
Ϧιʔε 
Φʔφʔ
Web 
ϒϥ΢β
੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε 
αʔόʔ
ᶃϦΫΤετ
ᶅΞΫηε 
ɹτʔΫϯ 
ɹݕূ
ᶆݕূ݁ՌΛฦ͢
ᶈϨεϙϯε
ᶉϨεϙϯε
ᶇݕূ݁ՌΛ 
ɹ֬ೝ

View Slide

$
#jjug_ccc
໨࣍
▸ ·ͱΊ

View Slide

$
#jjug_ccc
ґଘੑ

org.springframework.boot

spring-boot-starter-oauth2-client

wTQSJOHTFDVSJUZDPOpH
wTQSJOHTFDVSJUZPBVUIDMJFOU
ͳͲؚ͕·Ε͍ͯΔ

View Slide

$
#jjug_ccc
BQQMJDBUJPOZNM

spring.security.oauth2.client.registration.todo:
provider: ೚ҙͷ໊લ(.registrationͷޙʹ΋ࢦఆ͢Δ)
client-id: ΫϥΠΞϯτID
client-secret: ΫϥΠΞϯτγʔΫϨοτ
client-name: ೚ҙͷ໊લ(ը໘දࣔͰ࢖ΘΕΔ)
client-authentication-method: ΫϥΠΞϯτೝূํ๏
authorization-grant-type: άϥϯτλΠϓ
redirect-uri: ϦμΠϨΫτΤϯυϙΠϯτͷURL
scope: ͜ͷΞϓϦͷείʔϓΛΧϯϚ۠੾ΓͰࢦఆ
※εϖʔεͷ౎߹্ͰYAMLܗࣜͰॻ͍͍ͯ·͕͢ɺݸਓతʹ͸properties೿Ͱ͢

View Slide

$
#jjug_ccc
BQQMJDBUJPOZNMʢଓ͖ʣ

spring.security.oauth2.client.provider.todo:
authorization-uri: ೝՄΤϯυϙΠϯτͷURL
token-uri: τʔΫϯΤϯυϙΠϯτͷURL
user-info-uri: Ϣʔβʔ৘ใͷJSON͕ฦͬͯ͘ΔURL
user-name-attribute: JSONͷதͷϢʔβʔ໊Λද͢ଐੑ໊
user-info-authentication-method: Ϣʔβʔ৘ใऔಘ࣌ͷೝূํࣜ
jwk-set-uri: JWK Set͕ฦͬͯ͘ΔURL
issuer-uri: ೝՄαʔόʔͷIssuer Identiﬁer
※Keycloakͷ৔߹ɺissuer-uriΛࢦఆ͢Ε͹ଞͷϓϩύςΟ͸ࢦఆෆཁʢuser-name-attribute͸೚ҙʣ

View Slide

$
#jjug_ccc
+BWB$POpH

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.oauth2Login()
.loginPage("/login")
.permitAll();
...
}
}
ϩάΠϯʹؔ͢Δઃఆ

View Slide

$
#jjug_ccc
4QSJOH4FDVSJUZ'JMUFS$IBJO

SecurityContextPersistenceFilter
LogoutFilter
OAuth2AuthorizationRequestRedirectFilter
OAuth2LoginAuthenticationFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
ϦΫΤετ
ೝՄΤϯυϙΠϯτʹ
ϦμΠϨΫτ͢Δ
ೝূΛߦ͏

View Slide

$
#jjug_ccc
0"VUI"VUIPSJ[BUJPO3FRVFTU3FEJSFDU'JMUFS
▸ ೝՄ͕ඞཁͳ৔߹ɺೝՄαʔόʔͷ
ೝՄΤϯυϙΠϯτʹϦμΠϨΫτ͍ͯ͠Δ

@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
try {
OAuth2AuthorizationRequest authorizationRequest =
this.authorizationRequestResolver.resolve(request);
if (authorizationRequest != null) {
this.sendRedirectForAuthorization(
request, response, authorizationRequest);
return;
}
...
https://github.com/spring-projects/spring-security/blob/master/oauth2/
oauth2-client/src/main/java/org/springframework/security/oauth2/
client/web/OAuth2AuthorizationRequestRedirectFilter.java#L164

View Slide

$
#jjug_ccc
0"VUI-PHJO"VUIFOUJDBUJPO'JMUFS಺Ͱͷॲཧ

OAuth2LoginAuthenticationFilter
ProviderManager
OidcAuthorizationCodeAuthenticationProvider
DefaultAuthoriaztionCodeTokenResponseClient
ᶃೝՄίʔυΛड͚औΔ
ᶄೝՄίʔυΛ࣋ͬͨ
ɹAuthenticationΛ౉͢
ᶅೝՄίʔυΛ࣋ͬͨ
ɹAuthenticationΛ౉͢
ᶆݺͼग़͠
ᶇOAuth2AccessToken
ɹResponseΛฦ͢
ᶈ+85͔Β"VUIPSJUZΛநग़ɹ
ɹˠAuthenticationΛฦ͢
ᶉAuthenticationΛฦ͢
ᶊSecurityContextʹɹ
ɹAuthenticationΛอଘ

View Slide

$
#jjug_ccc
%FGBVMU"VUIPSJ[BUJPO$PEF5PLFO3FTQPOTF$MJFOU
▸ RestTemplateͰೝՄαʔόʔʹ
ΞΫηεͯ͠ɺΞΫηετʔΫϯͷऔಘΛߦ͏
▸ ͜ͷRestTemplateʹ͸ɺσϑΥϧτͰ͸
λΠϜΞ΢τ͕ઃఆ͞Ε͍ͯͳ͍

View Slide

$
#jjug_ccc
+BWB$POpHʹઃఆΛ௥Ճ

private DefaultAuthorizationCodeTokenResponseClient client() {
RestTemplate restTemplate = restTemplateBuilder
// λΠϜΞ΢τΛઃఆ
.setConnectTimeout(Duration.ofMillis(1000))
.setReadTimeout(Duration.ofMillis(1000))
...
.build();
DefaultAuthorizationCodeTokenResponseClient client =
new DefaultAuthorizationCodeTokenResponseClient();
// λΠϜΞ΢τઃఆࡁΈͷRestTemplateΛઃఆ
client.setRestOperations(restTemplate);
return client;
}

View Slide

$
#jjug_ccc
+BWB$POpHͷઃఆΛมߋ

@Override
http.oauth2Login(oauth2 -> oauth2
// λΠϜΞ΢τઃఆࡁΈͷTokenResponseClientΛࢦఆ
.tokenEndpoint(token -> token
.accessTokenResponseClient(client())
)
...
.loginPage("/login")
.permitAll()
).authorizeRequests(auth -> auth
...
˞εϥΠυͰ͸εϖʔεͷ౎߹্ׂѪ͍ͯ͠·͕͢ɺOAuth2UserService΍
ɹOidcUserServiceʹ΋ಉ༷ͷઃఆ͕ඞཁͰ͢ʢৄࡉ͸(JU)VCࢀরʣ

View Slide

$
#jjug_ccc
໨࣍
▸ ·ͱΊ

View Slide

$
#jjug_ccc
8FC$MJFOUͱ͸ʁ
▸ 4QSJOH8FC'MVYʹؚ·Ε͍ͯΔɺ
ϦΞΫςΟϒͳ)551ΫϥΠΞϯτ
▸ 3FBDUPSͷ'MVY.POPΛ׆༻
▸ ྲྀΕΔΑ͏ͳ"1*

public List findAll() {
return webClient.get()
.uri("/todos")
.retrieve()
.bodyToFlux(Todo.class)
.collectList()
.block();
}

View Slide

$
#jjug_ccc
3FTU5FNQMBUFͷ+BWBEPDΑΓ

https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/client/
RestTemplate.html
ɾҎ߱Ͱ͸ϝϯςφϯεϞʔυ΍Ͱ
ɾ୅ΘΓʹ8FC$MJFOUͷར༻Λݕ౼ͯ͠΍

View Slide

$
#jjug_ccc
8FC$MJFOUʹҠߦ͢΂͖͔ʁ
▸ ·ͩ࢑͘͸3FTU5FNQMBUFͰΑ͍ ଟాݸਓͷҙݟ

▸ ΞϓϦέʔγϣϯ΍4QSJOHຊମͳͲ΁ͷӨڹ͕ඇৗʹେ͖͍
ͨΊɺ3FTU5FNQMBUF͕͙͢ʹ࡟আ͞ΕΔͱ͸ࢥ͑ͳ͍
▸ 8FC$MJFOUΛ࢖͏ͱɺͲ͏ͯ͠΋'MVY.POPΛ࢖ͬͨ
ϦΞΫςΟϒϓϩάϥϛϯάΛҙࣝ͠ͳ͚Ε͹ͳΒͳ͍ͨΊɺ
೉қ౓্͕͕Δ
▸ ͜ͷઅͰ͸͋͘·Ͱʮ8FC$MJFOUΛ࢖͏ͱ͜͏ͳΔΑʯ
ͱ͍͏ྫΛ঺հ

View Slide

$
#jjug_ccc
8FC$MJFOUΛ4QSJOH.7$্Ͱ࢖͏

spring-boot-starter-web

spring-boot-starter-webflux

▸ TQSJOHCPPUTUBSUFSXFC .7$
ͱ
TQSJOHCPPUTUBSUFSXFCqVY 8FC'MVY
ͷ྆ํΛ
ґଘੑʹؚΊΔͱɺ4QSJOH.7$͕༏ઌ͞ΕΔ
▸ IUUQTEPDTTQSJOHJPTQSJOHCPPUEPDTDVSSFOUSFGFSFODF
IUNMTJOHMFCPPUGFBUVSFTXFCFOWJSPONFOU

View Slide

$
#jjug_ccc
8FC$MJFOUͷ#FBOఆٛ

@Bean
public WebClient webClient(...) {
// λΠϜΞ΢τΛઃఆ
Function super TcpClient, ? extends TcpClient> tcpMapper =
tcpClient -> {
// Connect TimeoutΛઃఆ
return tcpClient.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 1000)
.doOnConnected(conn -> conn
// Read TimeoutΛઃఆ
.addHandlerLast(
new ReadTimeoutHandler(1000, TimeUnit.MILLISECONDS))
// Write TimeoutΛઃఆ
.addHandlerLast(
new WriteTimeoutHandler(1000, TimeUnit.MILLISECONDS))
);
};
// ࣍ϖʔδʹଓ͘
λΠϜΞ΢τઃఆΛ๨Εͣʹʂ

View Slide

$
#jjug_ccc
8FC$MJFOUͷ#FBOఆٛʢଓ͖ʣ

// લϖʔδ͔Βͷଓ͖
HttpClient httpClient = HttpClient.create().tcpConfiguration(tcpMapper);
// OAuth2ؔ࿈ͷઃఆ
ServletOAuth2AuthorizedClientExchangeFilterFunction oAuth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(
clientRegistrationRepository, authorizedClientRepository);
return builder.baseUrl(resourceServerUri)
// ࡞੒ͨ͠HttpClientΛ௥Ճ
.clientConnector(new ReactorClientHttpConnector(httpClient))
// OAuth2ઃఆΛ௥Ճ
.apply(oAuth2Client.oauth2Configuration())
...
.build();
}

View Slide

$
#jjug_ccc
4FSWMFU0"VUI"VUIPSJ[FE$MJFOU
&YDIBOHF'JMUFS'VODUJPO͸ԿΛͯ͘͠ΕΔ͔
▸ 8FC$MJFOU͔ΒͷϦΫΤετ࣌ʹ
Authorization: Bearer ΞΫηετʔΫϯ
Λϔομʔʹ௥Ճͯ͘͠ΕΔ
▸ ΞΫηετʔΫϯͷ༗ޮظݶ͕੾Ε͍ͯͨΒ
ϦϑϨογϡͯ͘͠ΕΔ

View Slide

$
#jjug_ccc
ϦϑϨογϡͷ࢓૊Έ

ServletOAuth2AuthorizedClientExchangeFilterFunction
DefaultOAuth2AuthorizedClientManager
DelegatingOAuth2AuthorizedClientProvider
RefreshTokenOAuth2AuthorizedClientProvider
DefaultRefreshTokenTokenResponseClient
ݺͼग़͠
ݺͼग़͠
ݺͼग़͠
ݺͼग़͠

View Slide

$
#jjug_ccc
%FGBVMU3FGSFTI5PLFO5PLFO3FTQPOTF$MJFOU
▸ 3FTU5FNQMBUFͰೝՄαʔόʔʹΞΫηεͯ͠ɺ
ΞΫηετʔΫϯͷϦϑϨογϡΛߦ͏
▸ ৄࡉ͸Լهͷهࣄࢀর
▸ 4QSJOH4FDVSJUZYͰ0"VUIΞΫηετʔΫϯΛ
ϦϑϨογϡ͢Δ
[email protected]
GCGDFCF

View Slide

$
#jjug_ccc
%FGBVMU3FGSFTI5PLFO5PLFO3FTQPOTF$MJFOU
ͷ஫ҙ఺
▸ σϑΥϧτͰ͸ɺ
಺෦Ͱ࢖͍ͬͯΔRestTemplateʹ
λΠϜΞ΢τ͕ઃఆ͞Ε͍ͯͳ͍
ˠԼهͷΑ͏ʹઃఆ

DefaultRefreshTokenTokenResponseClient tokenResponseClient =
new DefaultRefreshTokenTokenResponseClient();
RestTemplate restTemplate = restTemplateBuilder
...
.build();
tokenResponseClient.setRestOperations(restTemplate);

View Slide

$
#jjug_ccc
&YDIBOHF'JMUFS'VODUJPOʹλΠϜΞ΢τΛઃఆ

ServletOAuth2AuthorizedClientExchangeFilterFunction
DefaultOAuth2AuthorizedClientManager
OAuth2AuthorizedClientProvider
RestTemplateʢλΠϜΞ΢τઃఆࡁΈʣ
୅ೖ
୅ೖ
୅ೖ
୅ೖ
DefaultRefreshTokenTokenResponseClient

View Slide

$
#jjug_ccc
&YDIBOHF'JMUFS'VODUJPOʹλΠϜΞ΢τΛઃఆ

▸ ۩ମతͳίʔυ͸ϝνϟ௕͍ͷͰ(JU)VCࢀর
▸ IUUQTHJUIVCDPN.BTBUPTIJ5BEBPBVUIXJUI
TQSJOHTFDVSJUZCMPCNBTUFSDMJFOUKXUTSDNBJO
KBWBDPNFYBNQMFDMJFOUKXU
$MJFOU+XU"QQMJDBUJPOKBWB-

View Slide

$
#jjug_ccc
*TTVFཱͯ·ͨ͠
▸ ੋඇʮ͍͍Ͷʯ͍ͩ͘͞
▸ IUUQTHJUIVCDPNTQSJOHQSPKFDUTTQSJOHTFDVSJUZ
JTTVFT

View Slide

$
#jjug_ccc
໨࣍
▸ ·ͱΊ

View Slide

$
#jjug_ccc
ґଘੑ


spring-boot-starter-oauth2-resource-server

wTQSJOHTFDVSJUZDPOpH
wTQSJOHTFDVSJUZPBVUISFTPVSDFTFSWFS
wTQSJOHTFDVSJUZPBVUIKPTF
ͳͲؚ͕·Ε͍ͯΔ

View Slide

$
#jjug_ccc
BQQMJDBUJPOZNM

spring.security.oauth2.resourceserver.jwt:
jwk-set-uri: JWK Set͕ฦͬͯ͘ΔURL
issuer-uri: ೝՄαʔόʔͷIssuer Identiﬁer
※Keycloakͷ৔߹ɺissuer-uriΛࢦఆ͢Ε͹jwk-set-uri͸ࢦఆෆཁ

View Slide

$
#jjug_ccc
+BWB$POpH

@EnableWebSecurity
@Override
...
http.authorizeRequests()
.mvcMatchers("อޢର৅ͷURL")
.hasAuthority("SCOPE_είʔϓ໊")
...;
http.oauth2ResourceServer()
.jwt();
...
}
}

View Slide

$
#jjug_ccc

LogoutFilter
BearerTokenAuthenticationFilter
ϦΫΤετ
ड৴ͨ͠+85Λ࢖ͬͯ
ೝূ͢Δ

View Slide

$
#jjug_ccc
#FBSFS5PLFO"VUIFOUJDBUJPO'JMUFS಺Ͱͷॲཧ

ProviderManager
JwtAuthenticationProvider
NimbusJwtDecoder
ᶃϦΫΤετϔομʔͰ
ɹ+85จࣈྻΛड͚औΔ
ᶄ+85จࣈྻΛ࣋ͬͨ
ɹ"VUIFOUJDBUJPOΛ౉͢
ᶅ+85จࣈྻΛ࣋ͬͨ
ᶆ+85จࣈྻΛ౉͢
ᶇ+85จࣈྻΛݕূޙɺ
ɹ+XUΦϒδΣΫτʹม׵
ᶈ+XU͔Β"VUIPSJUZΛநग़ɹ
ɹˠ"VUIFOUJDBUJPOΛฦ͢
ᶉ"VUIFOUJDBUJPOΛฦ͢
ᶊ4FDVSJUZ$POUFYUʹɹ
ɹ"VUIFOUJDBUJPOΛอଘ
ݕূࣦഊ࣌͸
ྫ֎ൃੜ

View Slide

$
#jjug_ccc
໨࣍
▸ ·ͱΊ

View Slide

$
#jjug_ccc
+85ܗࣜΞΫηετʔΫϯͷ໰୊఺
▸ +85ʹؚ·Ε͍ͯͳ͍৘ใ͸औಘͰ͖ͳ͍
▸ +85ʹؚΉ৘ใ͕ଟ͗͢Δͱ
τʔΫϯࣗମ͕େ͖͘ͳͬͯ͠·͏
▸ ೝՄαʔόʔଆͰ
ΞΫηετʔΫϯΛແޮԽͰ͖ͳ͍

View Slide

$
#jjug_ccc
ͦ͜Ͱ5PLFO*OUSPTQFDUJPOʂ
▸ 3'$
▸ IUUQTUPPMTJFUGPSHIUNMSGD
▸ Ϧιʔεαʔόʔ͕ೝՄαʔόʔʹ
ΞΫηετʔΫϯΛૹ৴͢Δ͜ͱͰɺ
ᶃΞΫηετʔΫϯࣗମʹؚ·Ε͍ͯͳ͍৘ใΛ
औಘͰ͖Δ
ᶄΞΫηετʔΫϯͷ༗ޮੑΛνΣοΫͰ͖Δ

View Slide

$
#jjug_ccc
ϦΫΤετ

੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε
αʔόʔ
ೝՄ
αʔόʔ
POST /introspect HTTP/1.1
Host: keycloak.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dXNlcjpwYXNzd29yZAo=
token=ΞΫηετʔΫϯ

View Slide

$
#jjug_ccc
Ϩεϙϯε

੥ٻॻ࡞੒ 
ࢿྉ༣ૹ
Ϧιʔε
αʔόʔ
ೝՄ
αʔόʔ
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true·ͨ͸false,
"client_id": "ΫϥΠΞϯτͷID",
"username": "ϦιʔεΦʔφʔͷϢʔβʔ໊",
"scope": "είʔϓ",
...
}

View Slide

$
#jjug_ccc
Ϧιʔεαʔόʔͷೝূํ๏
▸ ۩ମతͳํ๏͸ɺ࢓༷Ͱ͸ఆ·͍ͬͯͳ͍
▸ 4QSJOH4FDVSJUZͷσϑΥϧτ͸#BTJDೝূ
▸ NimbusOpaqueTokenIntospector͕
RestTemplateΛ࢖࣮ͬͯߦ
▸ ଞͷํ๏ʹΧελϚΠζՄೳʢޙड़ʣ

View Slide

$
#jjug_ccc
BQQMJDBUJPOZNM

spring.security.oauth2.resourceserver.opaquetoken:
client-id: ϦιʔεαʔόʔͷID
client-secret: Ϧιʔεαʔόʔͷύεϫʔυ
introspection-uri: ೝՄαʔόʔͷ
ɹɹɹɹɹɹɹɹɹɹɹɹ ΠϯτϩεϖΫγϣϯΤϯυϙΠϯτ

View Slide

$
#jjug_ccc
+BWB$POpH

@EnableWebSecurity
@Override
.opaqueToken();
}
}

View Slide

$
#jjug_ccc

LogoutFilter
ϦΫΤετ
ड৴ͨ͠ΞΫηετʔΫϯΛ
࢖ͬͯೝূ͢Δ

View Slide

$
#jjug_ccc
#FBSFS5PLFO"VUIFOUJDBUJPO'JMUFS಺Ͱͷॲཧ

ProviderManager
OpaqueTokenAuthenticationProvider
NimbusOpaqueTokenIntrospector
ᶃϦΫΤετϔομʔͰ
ɹΞΫηετʔΫϯΛड͚औΔ
ᶄΞΫηετʔΫϯΛ࣋ͬͨ
ᶅΞΫηετʔΫϯΛ࣋ͬͨ
ᶆΞΫηετʔΫϯΛ౉͢
ᶇ5PLFO*OUSPTQFDUJPO࣮ߦ
ɹˠ0"VUI"VUIFOUJDBUJPO
ɹɹ1SJODJQBMΛฦ͢
ᶈ"VUIFOUJDBUJPOΛฦ͢
ᶉ"VUIFOUJDBUJPOΛฦ͢
ᶊ4FDVSJUZ$POUFYUʹɹ
ɹ"VUIFOUJDBUJPOΛอଘ
ݕূࣦഊ࣌͸
ྫ֎ൃੜ

View Slide

$
#jjug_ccc
ೝূํ๏ͷΧελϚΠζ

@EnableWebSecurity
@Override
.opaqueToken()
.introspector(new MyIntrospector());
}
}
public class MyIntrospector
implements OpaqueTokenIntrospector {
...
}

View Slide

$
#jjug_ccc
ΧελϚΠζྫ

▸ NimbusOpaqueTokenIntospector಺ͷ
RestTemplateʹλΠϜΞ΢τΛઃఆ
▸ σϑΥϧτͰ͸λΠϜΞ΢τແ͠ͳͷͰɺ
ઃఆͨ͠΄͏͕Α͍

View Slide

$
#jjug_ccc
ΧελϚΠζྫ

@Configuration
public class IntrospectorConfig {
@Bean
public NimbusOpaqueTokenIntrospector introspector(
RestTemplateBuilder builder,
OAuth2ResourceServerProperties prop) {
OAuth2ResourceServerProperties.Opaquetoken opaquetoken =
prop.getOpaquetoken();
RestTemplate rest = builder
.basicAuthentication(opaquetoken.getClientId(),
opaquetoken.getClientSecret())
.build();
return new NimbusOpaqueTokenIntrospector(
opaquetoken.getOpaquetoken().getIntrospectionUri(), rest);
}
}
λΠϜΞ΢τઃఆࡁΈͷ
RestTemplateΛར༻͢Δ
NimbusOpaqueToken
IntrospectorΛ#FBOఆٛ

View Slide

$
#jjug_ccc
ΧελϚΠζྫ

@EnableWebSecurity
@Autowired
OpaqueTokenIntrospector introspector;
@Override
.opaqueToken()
.introspector(introspector);
}
ΧελϚΠζͨ͠
NimbusOpaqueTokenIntrospector
ͷ#FBOΛࢦఆ

View Slide

$
#jjug_ccc
໨࣍
▸ ·ͱΊ

View Slide

$
#jjug_ccc
5PLFO1SPQBHBUJPOͱ͸
▸ தؒͷϚΠΫϩαʔϏε͸ɺ
ࣗ෼͕ड͚औͬͨΞΫηετʔΫϯΛ
ͦͷ··ԼྲྀͷϚΠΫϩαʔϏεʹ౉͢

$MJFOU
"1*
(BUFXBZ
3FTPVSDF
4FSWFS
ΞΫηε
τʔΫϯ
ΞΫηε
τʔΫϯ

View Slide

$
#jjug_ccc
5PLFO1SPQBHBUJPOͷઃఆ
▸ WebClientʹ
ServletBearerExchangeFilterFunction
Λ௥Ճ

@Bean
public WebClient webClient(...) {
...
return builder.baseUrl(resourceServerUri)
.clientConnector(new ReactorClientHttpConnector(httpClient))
.filter(new ServletBearerExchangeFilterFunction())
...
.build();
}

View Slide

$
#jjug_ccc
5PLFO1SPQBHBUJPOͷ࢓૊Έ
▸ ϦΫΤετૹ৴લʹ
ᶃ "VUIFOUJDBUJPO͔ΒΞΫηετʔΫϯΛऔಘ
ᶄ "VUIPSJ[BUJPOϔομʔʹΞΫηετʔΫϯΛ௥Ճ
‣ ৄࡉ͸͜͜Β΁Μͷίʔυࢀর
‣ IUUQTHJUIVCDPNTQSJOHQSPKFDUTTQSJOHTFDVSJUZCMPC
NBTUFSPBVUIPBVUISFTPVSDFTFSWFSTSDNBJOKBWBPSH
TQSJOHGSBNFXPSLTFDVSJUZPBVUITFSWFSSFTPVSDFXFC
SFBDUJWFGVODUJPODMJFOU
4FSWMFU#FBSFS&YDIBOHF'JMUFS'VODUJPOKBWB-

View Slide

$
#jjug_ccc
3FTU5FNQMBUFΛ࢖͍͍ͨ৔߹
▸ ಉ౳ͷػೳΛࣗ෼Ͱ࡞Δඞཁ͕͋Δ
▸ ίʔυྫ͸ϦϑΝϨϯεࢀর
IUUQTEPDTTQSJOHJPTQSJOHTFDVSJUZTJUFEPDT
3&-&"4&SFGFSFODFIUNMSFTUUFNQMBUF
TVQQPSU

View Slide

$
#jjug_ccc
໨࣍
▸ ·ͱΊ

View Slide

$
#jjug_ccc
·ͱΊ
▸ λΠϜΞ΢τઃఆɺେࣄɻ

View Slide

$
#jjug_ccc
ೝՄαʔόʔ͸ʁ
▸ 4QSJOH"VUIPSJ[BUJPO4FSWFS͕։ൃਐߦத

https://spring.io/blog/2020/08/21/get-the-very-ﬁrst-bits-of-spring-authorization-server-0-0-1

View Slide

$
#jjug_ccc
4QSJOH4FDVSJUZϦϑΝϨϯε
▸ ࠓճ঺հ͍ͯ͠ͳ͍ػೳ΍ɺ༷ʑͳΧελϚΠζ
ํ๏͕঺հ͞Ε͍ͯ·͢
▸ IUUQTEPDTTQSJOHJPTQSJOHTFDVSJUZTJUF
EPDT3&-&"4&SFGFSFODFIUNM
PBVUI

View Slide

$
#jjug_ccc
0"VUIؔ࿈ॻ੶

View Slide

$
#jjug_ccc
0"VUI࢓༷ॻ
▸ 3'$5IF0"VUI"VUIPSJ[BUJPO
'SBNFXPSL
▸ 3'$0"VUI5PLFO*OUSPTQFDUJPO

View Slide

$
#jjug_ccc
<3*1>౎ݩ͞Μͷࢿྉ
▸ ϚΠΫϩαʔϏε࣌୅ͷೝূͱೝՄ
▸ [email protected]
TT
▸ جૅ͔Βͷ0"VUI
▸ [email protected]
EFWFMPQFSTJP

View Slide

$
#jjug_ccc
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ

View Slide

OAuth 2.0 with Spring Security #jjug_ccc #jjug_ccc_b / oauth2-with-spring-security

OAuth 2.0 with Spring Security #jjug_ccc #jjug_ccc_b / oauth2-with-spring-security

Masatoshi Tada

More Decks by Masatoshi Tada

Other Decks in Technology

Featured

Transcript