# Using OAuth2 in Spring Boot Security ###### tags: `Spring Framework`、`Spring Boot Security`、`OAuth2` #### Programming Language: Kotlin ## 前置作業 1. 於 `build.gradle.kts` 加入依賴函式庫。 ```kotlin implementation("org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE") ``` 2. 於欲使用之 Oauth2 服務（如 Google、Facebook 及 Github 等）取得 Oauth2 API 的 `Client Id` 及 `Client Password`，並將值設定至 `application.yaml` 底下的 `spring.security.oauth2.client.registration.<registrationId>`。(可設定多組服務) - `registration-id`：服務名稱，例如 `google`、`facebook`等。 - `client-id`：Oauth2 API Key - `client-password`：Oauth2 API Password ``` spring: security: oauth2: client: registration: <registration-id>: client-id: "<client-id>" client-secret: "<client-password>" ``` 3. 建立一個類別，並繼承 `WebSecurityConfigurerAdapter`，且標記 `@Configuration` 及 `@EnableWebSecurity`。 ```kotlin @Configuration @EnableWebSecurity class WebSecurityConfiguration : WebSecurityConfigurerAdapter() ``` 4. 重載 `configure(http: HttpSecurity)` 方法，並於此方法內設定 Spring Security 作動方式及啟用 OAuth2 登入。 ```kotlin override fun configure(http: HttpSecurity) { http.authorizeRequests .antMatchers("/user") .authenticated() .and() .oauth2Login() } ``` ## 預設導向 URI `{baseUrl}/login/oauth2/code/{registrationId}` ## 於請求中加入額外參數 a.k.a. 自訂認證請求解析器 (AuthorizationRequestResolver) > 此範例為認證請求加入參數 `prompt=select_account consent`，可使部分 OAuth2 認證服務 (如 Google，詳閱*參考資料3*) 跳出帳號選擇視窗及權限確認視窗 1. 建立 `MyOAuth2AuthorizationRequestResolver` 類別，並實作 `OAuth2AuthorizationRequestResolver` 介面。 ```kotlin class MyOAuth2AuthorizationRequestResolver(var repo: ClientRegistrationRepository) : OAuth2AuthorizationRequestResolver { private val defaultResolver = DefaultOAuth2AuthorizationRequestResolver(repo, "/oauth2/authorization") override fun resolve(request: HttpServletRequest?): OAuth2AuthorizationRequest? { return customOAuth2AuthorizationRequest(defaultResolver.resolve(request)) } override fun resolve(request: HttpServletRequest?, clientRegistrationId: String?): OAuth2AuthorizationRequest? { return customOAuth2AuthorizationRequest(defaultResolver.resolve(request, clientRegistrationId)) } private fun customOAuth2AuthorizationRequest(oAuth2AuthorizationRequest: OAuth2AuthorizationRequest?): OAuth2AuthorizationRequest? { if (oAuth2AuthorizationRequest == null) return null val params = oAuth2AuthorizationRequest.additionalParameters.toMutableMap() params["prompt"] = "select_account consent" return OAuth2AuthorizationRequest.from(oAuth2AuthorizationRequest) .additionalParameters(params) .build() } } ``` 2. 於 `HttpSecurity` 中，設定為 OAuth2 的 AuthorizationRequestResolver 即可。 ```kotlin http.oauth2Login() .authorizationEndpoint() .authorizationRequestResolver(MyOAuth2AuthorizationRequestResolver(clientRepo)) ``` ## 參考資料 1. [Tutorial | Spring Boot and OAuth2](https://spring.io/guides/tutorials/spring-boot-oauth2/) 2. [OAuth2AuthorizationRequestResolver](https://docs.spring.io/spring-security/site/docs/5.1.1.RELEASE/reference/htmlsingle/#oauth2Client-authorization-request-resolver) 3. [Set authorization parameters | Google Identity Platform](https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient)