我在 springdoc-openapi-ui-1.4.3 中使用 swagger
@SecurityRequirement(name = "security_auth")
public class ProductController {}
设置安全模式
@SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2,
flows = @OAuthFlows(authorizationCode = @OAuthFlow(
authorizationUrl = "${springdoc.oAuthFlow.authorizationUrl}"
, tokenUrl = "${springdoc.oAuthFlow.tokenUrl}",scopes = {
@OAuthScope(name = "IdentityPortal.API", description = "IdentityPortal.API")})))
public class OpenApiConfig {}
安全配置
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {// @formatter:off
http
.authorizeRequests()
.antMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html")
.permitAll()
.antMatchers(HttpMethod.GET, "/user/info", "/api/foos/**")
.hasAuthority("SCOPE_read")
.antMatchers(HttpMethod.POST, "/api/foos")
.hasAuthority("SCOPE_write")
.anyRequest()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
}
}
有依赖
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
implementation 'org.springdoc:springdoc-openapi-ui:1.4.3'
implementation 'org.springdoc:springdoc-openapi-security:1.4.3'
implementation "org.springframework.boot:spring-boot-starter-security"
配置设置
spring:
profiles:
active: dev
####### resource server configuration properties
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://localhost:5001
jwk-set-uri: https://localhost:5001/connect/token
springdoc:
swagger-ui:
oauth:
clientId: Local
usepkcewithauthorizationcodegrant: true
oAuthFlow:
authorizationUrl: https://localhost:5001
tokenUrl: https://localhost:5001/connect/token
在 swagger UI 中,clientId 为空且存在客户端密码,对于授权码 + PKCE 流程客户端密码不应存在
最佳答案
你的属性语法
usepkcewithauthorizationcodegrant
不正确:
这是 PKCE 的正确属性:
springdoc.swagger-ui.oauth.use-pkce-with-authorization-code-grant=true
要填写客户端 ID,只需使用:
springdoc.swagger-ui.oauth.client-id=yourSPAClientId
对于您对可以隐藏的现有 secret 文件的评论。这看起来像是对 swagger-ui 的增强。
您应该提交对 swagger-ui 项目的增强:
关于java - springdoc-openapi-ui OAuth 2.0 授权代码流与 PKCE,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62950730/