我正在开发带有Ionic(角度)和带有api的api支架的移动应用程序,我想通过openid-conect结合身份验证方法。
我正在配置REST API,如下所示
的pom.xml
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.0.RELEASE</version>
</parent>
......
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
application.yml
uaa-base-url: https://...../oidc/v1
spring:
security:
oauth2:
client:
registration:
uaa:
client-id: ...
client-secret: ...
authorizationGrantType: authorization_code
redirect_uri_template: "{baseUrl}/login/oauth2/code/{registrationId}"
scope: openid,document,email
clientName: oauth2-id
provider:
uaa:
token-uri: ${uaa-base-url}/token
authorization-uri: ${uaa-base-url}/authorize
user-info-uri: ${uaa-base-url}/userinfo
jwk-set-uri: ${uaa-base-url}/jwks
userNameAttribute: email
对于移动应用程序,我计划使用以下插件对其进行配置
这使用了ImplicitFlow,我的问题是这是正确的方法吗? ImplicitFlow是移动应用程序的正确选择吗? 令牌的持续时间是多长时间?
我应该添加自己的openid服务器并将其作为提供程序,以便可以对api进行更多控制吗?