我正在尝试配置 Spring Boot 授权和资源服务器,每个服务器都在不同的服务器上。 The tutorial没有解释如何在不同的服务器上准确配置资源和授权服务器。
If your Resource Server is a separate application then you have to make sure you match the capabilities of the Authorization Server and provide a ResourceServerTokenServices that knows how to decode the tokens correctly.[What does that mean and how to do this ?]
As with the DefaultTokenServices and the choices are mostly expressed through the TokenStore (backend storage or local encoding). An alternative is the RemoteTokenServices which is a Spring OAuth features (not part of the spec) allowing Resource Servers to decode tokens through an HTTP resource on the Authorization Server (/oauth/check_token). RemoteTokenServices are convenient if there is not a huge volume of traffic in the Resource Servers (every request has to be verified with the Authorization Server), or if you can afford to cache the results. To use the /oauth/check_token endpoint you need to expose it by changing its access rule (default is "denyAll()") in the AuthorizationServerSecurityConfigureAs with the Authorization Server, you can often use.
据我了解,有一个建议的解决方案,即资源服务器调用授权服务端点,但如上所述,只有在资源服务器中没有大量流量的情况下才能完成此操作,但如果实际上有流量怎么办?
最佳答案
假设您有一个身份验证服务器、一个资源服务器和一个客户端应用程序。 您可以设置 JWT 公钥来验证传入的 token 。这意味着您的用户通过客户端应用程序将其用户名和密码提供给身份验证服务器以获取有效 token ,并且该 token 由身份验证服务器中的公钥签名。然后,每个客户端应用程序调用资源服务器都需要提供该签名 token ,并且您的资源服务器应用程序使用公钥来验证传入的 token ,而不是每次都调用身份验证服务器。
关于Spring OAuth授权服务器和资源服务器位于不同的服务器上,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47498363/