发表新帖
发表新帖

Amazon Cognito Oauth2 with Spring Security

后端 未结
关注
2 874
一整个雨季
一整个雨季 2020-12-28 08:37

I\'m trying to implement Spring Security in a resource server with \"Cognito Oauth2\", however I don\'t seem to find too much info. about it (or if It\'s even possible to do

2条回答
  • 孤城傲影
    孤城傲影 (楼主)
    2020-12-28 09:14

    We can create Spring Boot resource server, keeping Cognito as Identity Provider.

    Dependency:

        
    
        org.springframework.boot
        spring-boot-starter-security
    

    
        org.springframework.boot
        spring-boot-starter-oauth2-resource-server
    

    
        org.springframework.security.oauth.boot
        spring-security-oauth2-autoconfigure
        2.0.1.RELEASE

    Spring Security Configuration:

    EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OAuth2ResourceServerSecurityConfiguration extends ResourceServerConfigurerAdapter {

  private final ResourceServerProperties resource;

  public OAuth2ResourceServerSecurityConfiguration(ResourceServerProperties resource) {
    this.resource = resource;
  }

  @Override
  public void configure(HttpSecurity http) throws Exception {

    http.cors();

    http.csrf().disable();

    http.authorizeRequests()
        .antMatchers("/api/public/**").permitAll()
        .antMatchers("/actuator/health").permitAll()
        .anyRequest().authenticated();
  }


  // Note: Cognito Converter
  @Bean
  public TokenStore jwkTokenStore() {
    return new JwkTokenStore(
        Collections.singletonList(resource.getJwk().getKeySetUri()),
        new CognitoAccessTokenConverter(),
        null);
  }
}

    Cognito Access Token Converter:

    Here we are converting the Cognito claims to Spring Security consumable format.

    @Component
public class CognitoAccessTokenConverter extends JwtAccessTokenConverter {

  // Note: This the core part.
  private static final String COGNITO_GROUPS = "cognito:groups";
  private static final String SPRING_AUTHORITIES = "authorities";
  private static final String COGNITO_USERNAME = "username";
  private static final String SPRING_USER_NAME = "user_name";

  @SuppressWarnings("unchecked")
  @Override
  public OAuth2Authentication extractAuthentication(Map claims) {

    if (claims.containsKey(COGNITO_GROUPS))
      ((Map) claims).put(SPRING_AUTHORITIES, claims.get(COGNITO_GROUPS));
    if (claims.containsKey(COGNITO_USERNAME))
      ((Map) claims).put(SPRING_USER_NAME, claims.get(COGNITO_USERNAME));
    return super.extractAuthentication(claims);
  }
}

    application.properties

    server:
  port: 8081
security:
  oauth2:
    resource:
      userInfoUri: https://.auth.eu-west-1.amazoncognito.com/oauth2/userInfo
      tokenInfoUri: https://.auth.eu-west-1.amazoncognito.com/oauth2/token
      jwk:
        key-set-uri: https://cognito-idp..amazonaws.com//.well-known/jwks.json
    client:
      clientId:

    For complete article, refer: Integrate Spring Boot Resource Server with Cognito Identity Provider

    0 讨论(0)
 看不清?
提交回复
热议问题