openid connect:带有Spring的移动应用程序和REST API

最后发布: 2018-11-08 15:21:03


问题

我正在开发带有Ionic(角度)和带有api的api支架的移动应用程序,我想通过openid-conect结合身份验证方法。

我正在配置REST API,如下所示

的pom.xml

  <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.0.RELEASE</version>
    </parent>
    ......
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
        </dependency>

application.yml

uaa-base-url: https://...../oidc/v1
spring:
  security:
    oauth2:
      client:
        registration:
          uaa:
            client-id: ...
            client-secret: ...
            authorizationGrantType: authorization_code
            redirect_uri_template: "{baseUrl}/login/oauth2/code/{registrationId}"
            scope: openid,document,email
            clientName: oauth2-id
        provider:
          uaa:
            token-uri: ${uaa-base-url}/token
            authorization-uri: ${uaa-base-url}/authorize
            user-info-uri: ${uaa-base-url}/userinfo
            jwk-set-uri: ${uaa-base-url}/jwks
            userNameAttribute: email

对于移动应用程序,我计划使用以下插件对其进行配置

https://github.com/manfredsteyer/angular-oauth2-oidc

这使用了ImplicitFlow,我的问题是这是正确的方法吗? ImplicitFlow是移动应用程序的正确选择吗? 令牌的持续时间是多长时间?

我应该添加自己的openid服务器并将其作为提供程序,以便可以对api进行更多控制吗?

spring ionic-framework oauth-2.0 spring-security-oauth2 openid-connect