OpenID + API REST +节点服务器

好吧，我看到很多人有同样的问题或怀疑，所以我会发布我的解决scheme。

我用于前端项目的一个openId JavaScript客户端帐户。 你需要询问“token id_token”。 这意味着它将检索callback中的access_token。

有了这个access_token，你可以点击API。 我使用HeaderClient（pac4j库），并在标题中发送access_token作为“授权”：“承载…”。

在API中，我创build了一个拦截器并添加了以下validation：

final HeaderClient headerClient = new HeaderClient("Authorization", "Bearer " , (credentials, ctx) -> { final String token = ((TokenCredentials) credentials).getToken(); JWSAlgorithm jwsAlg = JWSAlgorithm.RS256; try { URL jwkSetURL = new URL(authority + jwks); try { if (CommonHelper.isNotBlank(token)) { // Set up a JWT processor to parse the tokens and then check their signature // and validity time window (bounded by the "iat", "nbf" and "exp" claims) ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor(); // The public RSA keys to validate the signatures will be sourced from the // OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet // object caches the retrieved keys to speed up subsequent look-ups and can // also gracefully handle key-rollover JWKSource keySource = new RemoteJWKSet(jwkSetURL , new DefaultResourceRetriever() ); // Configure the JWT processor with a key selector to feed matching public // RSA keys sourced from the JWK set URL JWSKeySelector keySelector = new JWSVerificationKeySelector(jwsAlg, keySource); jwtProcessor.setJWSKeySelector(keySelector); // Process the token JWTClaimsSet claimsSet = jwtProcessor.process(token, null); // Print out the token claims set if (claimsSet != null) { CommonProfile profile = new CommonProfile(); profile.setId(token); // save in the credentials to be passed to the default AuthenticatorProfileCreator credentials.setUserProfile(profile); } } } catch (BadJOSEException e) { System.out.println("Invalid Authorization token"); } catch (JOSEException e) { System.out.println("Error on Authorization token"); } } catch (MalformedURLException e) { e.printStackTrace(); } catch (ParseException e) { e.printStackTrace(); } });