feat: 将 public-client 替换为 pkce-client 并添加相关配置

chensoul · chensoul · commit e7db7d247a4e · 2025-06-05T13:45:31.000+08:00
将多个示例项目中的 public-client 替换为 pkce-client，并添加了 CLIENT_SECRET_BASIC 和
CLIENT_SECRET_POST 身份验证方法，以及 REFRESH_TOKEN 授权类型。同时增加了多个重定向 URI 和登出
重定向 URI 配置。更新了测试类以匹配新的客户端 ID，并修改了相关的逻辑以支持 pkce-client。
diff --git a/my-samples/auth-server-01-start/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-01-start/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -135,11 +135,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -160,7 +167,7 @@ public RegisteredClientRepository registeredClientRepository() {
                 ).build();
 
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 
     @Bean
diff --git a/my-samples/auth-server-01-start/src/main/resources/application.yml b/my-samples/auth-server-01-start/src/main/resources/application.yml
@@ -36,15 +36,19 @@ spring:
               - "read"
               - "write"
           require-authorization-consent: true
-      public-client:
+      pkce-client:
         registration:
-          client-id: "public-client"
+          client-id: "pkce-client"
           client-authentication-methods:
             - "none"
+            - "client_secret_basic"
+            - "client_secret_post"
           authorization-grant-types:
             - "authorization_code"
+            - "refresh_token"
           redirect-uris:
             - "http://127.0.0.1:4200"
+            - "http://127.0.0.1:8080/login/oauth2/code/pkce-client"
           scopes:
             - "openid"
             - "profile"
diff --git a/my-samples/auth-server-02-pkce/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-02-pkce/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -111,11 +111,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -136,7 +143,7 @@ public RegisteredClientRepository registeredClientRepository() {
                 ).build();
 
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 
     @Bean
diff --git a/my-samples/auth-server-02-pkce/src/test/java/com/chensoul/PublicClientTests.java b/my-samples/auth-server-02-pkce/src/test/java/com/chensoul/PublicClientTests.java
@@ -26,7 +26,7 @@
  * @author Steve Riesenberg
  */
 @ExtendWith(SpringTestContextExtension.class)
-public class PublicClientTests {
+public class pkceClientTests {
     public final SpringTestContext spring = new SpringTestContext(this);
 
     @Autowired
@@ -36,10 +36,10 @@ public class PublicClientTests {
     private RegisteredClientRepository registeredClientRepository;
 
     @Test
-    public void oidcLoginWhenPublicClientThenSuccess() throws Exception {
+    public void oidcLoginWhenpkceClientThenSuccess() throws Exception {
         this.spring.register(AuthorizationServerConfig.class).autowire();
 
-        RegisteredClient registeredClient = this.registeredClientRepository.findByClientId("public-client");
+        RegisteredClient registeredClient = this.registeredClientRepository.findByClientId("pkce-client");
         assertThat(registeredClient).isNotNull();
 
         AuthorizationCodeGrantFlow authorizationCodeGrantFlow = new AuthorizationCodeGrantFlow(this.mockMvc);
diff --git a/my-samples/auth-server-03-min/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-03-min/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -62,11 +62,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -87,6 +94,6 @@ public RegisteredClientRepository registeredClientRepository() {
                 ).build();
 
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 }
diff --git a/my-samples/auth-server-04-jwks-keypair/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-04-jwks-keypair/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -78,11 +78,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -103,7 +110,7 @@ public RegisteredClientRepository registeredClientRepository() {
                 ).build();
 
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 
     @Bean
diff --git a/my-samples/auth-server-05-accessTokenResponseHandler/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-05-accessTokenResponseHandler/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -104,11 +104,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -129,7 +136,7 @@ public RegisteredClientRepository registeredClientRepository() {
                 ).build();
 
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 
     @Bean
diff --git a/my-samples/auth-server-06-OAuth2TokenCustomizer/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-06-OAuth2TokenCustomizer/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -63,11 +63,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -88,6 +95,6 @@ public RegisteredClientRepository registeredClientRepository() {
                 ).build();
 
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 }
diff --git a/my-samples/auth-server-custom-code/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-custom-code/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -103,11 +103,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -127,7 +134,7 @@ public RegisteredClientRepository registeredClientRepository() {
                 .tokenSettings(TokenSettings.builder().accessTokenFormat(OAuth2TokenFormat.REFERENCE).build()
                 ).build();
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 
     @Bean
diff --git a/my-samples/auth-server-custom-password/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-custom-password/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -126,11 +126,18 @@ public RegisteredClientRepository registeredClientRepository() {
                 .scope("client.read")
                 .build();
 
-        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId("public-client")
+        RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("pkce-client")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .redirectUri("http://127.0.0.1:4200")
+                .redirectUri("https://oidcdebugger.com/debug")
+                .redirectUri("https://oauthdebugger.com/debug")
+                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce-client")
+                .postLogoutRedirectUri("http://127.0.0.1:8080/")
                 .scope(OidcScopes.OPENID)
                 .scope(OidcScopes.PROFILE)
                 .clientSettings(ClientSettings.builder()
@@ -151,7 +158,7 @@ public RegisteredClientRepository registeredClientRepository() {
                 ).build();
 
         // @formatter:on
-        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, publicClient, opaqueClient);
+        return new InMemoryRegisteredClientRepository(oidcClient, credentialsClient, pkceClient, opaqueClient);
     }
 
     @Bean
diff --git a/my-samples/auth-server-jdbc/src/main/java/com/chensoul/config/ClientConfig.java b/my-samples/auth-server-jdbc/src/main/java/com/chensoul/config/ClientConfig.java
@@ -62,8 +62,8 @@ ApplicationRunner clientsRunner(RegisteredClientRepository repository) {
                     .scope("write")
                     .build();
 
-            RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                    .clientId("public-client")
+            RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                    .clientId("pkce-client")
                     .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                     .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                     .redirectUri("http://127.0.0.1:4200")
@@ -97,8 +97,8 @@ ApplicationRunner clientsRunner(RegisteredClientRepository repository) {
             if (repository.findByClientId(opaqueClient.getClientId()) == null) {
                 repository.save(opaqueClient);
             }
-            if (repository.findByClientId(publicClient.getClientId()) == null) {
-                repository.save(publicClient);
+            if (repository.findByClientId(pkceClient.getClientId()) == null) {
+                repository.save(pkceClient);
             }
         };
     }
diff --git a/my-samples/auth-server-jpa/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-jpa/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -63,8 +63,8 @@ ApplicationRunner clientsRunner(RegisteredClientRepository repository) {
                     .scope("write")
                     .build();
 
-            RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                    .clientId("public-client")
+            RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                    .clientId("pkce-client")
                     .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                     .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                     .redirectUri("http://127.0.0.1:4200")
@@ -98,8 +98,8 @@ ApplicationRunner clientsRunner(RegisteredClientRepository repository) {
             if (repository.findByClientId(opaqueClient.getClientId()) == null) {
                 repository.save(opaqueClient);
             }
-            if (repository.findByClientId(publicClient.getClientId()) == null) {
-                repository.save(publicClient);
+            if (repository.findByClientId(pkceClient.getClientId()) == null) {
+                repository.save(pkceClient);
             }
         };
     }
diff --git a/my-samples/auth-server-redis/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-redis/src/main/java/com/chensoul/config/SecurityConfig.java
@@ -59,8 +59,8 @@ ApplicationRunner clientsRunner(RegisteredClientRepository repository) {
                     .scope("write")
                     .build();
 
-            RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
-                    .clientId("public-client")
+            RegisteredClient pkceClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                    .clientId("pkce-client")
                     .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                     .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                     .redirectUri("http://127.0.0.1:4200")
@@ -94,8 +94,8 @@ ApplicationRunner clientsRunner(RegisteredClientRepository repository) {
             if (repository.findByClientId(opaqueClient.getClientId()) == null) {
                 repository.save(opaqueClient);
             }
-            if (repository.findByClientId(publicClient.getClientId()) == null) {
-                repository.save(publicClient);
+            if (repository.findByClientId(pkceClient.getClientId()) == null) {
+                repository.save(pkceClient);
             }
         };
     }
diff --git a/my-samples/auth-server-registration/src/main/java/com/chensoul/config/SecurityConfig.java b/my-samples/auth-server-registration/src/main/java/com/chensoul/config/SecurityConfig.java
diff --git a/my-samples/auth-server-userinfo/src/main/java/com/chensoul/config/idtoken/IdTokenSecurityConfig.java b/my-samples/auth-server-userinfo/src/main/java/com/chensoul/config/idtoken/IdTokenSecurityConfig.java
diff --git a/my-samples/auth-server-userinfo/src/main/java/com/chensoul/config/jwt/JwtSecurityConfig.java b/my-samples/auth-server-userinfo/src/main/java/com/chensoul/config/jwt/JwtSecurityConfig.java
diff --git a/my-samples/common-test/src/main/java/com/chensoul/test/AuthorizationCodeGrantFlow.java b/my-samples/common-test/src/main/java/com/chensoul/test/AuthorizationCodeGrantFlow.java
