Akka HTTP和Spray提供了一个authenticateOAuth2指令,但是
their documentation states表示
This directive does not implement the complete OAuth2 protocol,but instead enables implementing it,by extracting the needed token from the HTTP headers.
我也找不到任何为Akka HTTP或Spray实现OAuth2的库.有没有我想念的东西,还是这只是现在这些图书馆的状态?
我认为最大的问题是OAuth2本身并没有真正告诉你实现细节的样子.
引用the RFC:
The token may denote an identifier used to retrieve the authorization
information or may self-contain the authorization information in a
verifiable manner (i.e.,a token string consisting of some data and a
signature). Additional authentication credentials,which are beyond
the scope of this specification,may be required in order for the
client to use a token.
Access tokens can have different formats,structures,and methods of
utilization (e.g.,cryptographic properties) based on the resource
server security requirements. Access token attributes and the
methods used to access protected resources are beyond the scope of
this specification and are defined by companion specifications such
as [RFC6750].
例如,您可以使用JWT验证请求,或者您可以将令牌仅用作标识符,并向该资源请求服务.
根据您的OAuth2提供程序,实现可能会有所不同,所以我的猜测是框架只能为您提供常见的东西(为您提取令牌),或者它必须实现所有可能的OAuth2实现,这在现在似乎不可行.
过去我个人使用了pauldijou/jwt-scala,你可能想看看.
