为什么要使用OIDC
只使用基本OAUTH2认证是不安全因为无法保证与用户的访问令牌是真实的。使用 OIDC可以做到这一点
hasRole
a role is just an authority with a special ROLE_ prefix. So in Spring security 3 @PreAuthorize(“hasRole(‘ROLE_XYZ’)“) is the same as @PreAuthorize(“hasAuthority(‘ROLE_XYZ’)“) and in Spring security 4 @PreAuthorize(“hasRole(‘XYZ’)”) is the same as @PreAuthorize(“hasAuthority(‘ROLE_XYZ’)“).
http://localhost:8080/oauth/token
curl -u eagleeye:thisissecret -i -H ‘Accept:application/json’ -d “grant_type=password&scope=webclient&username=will&password=pass” -H “Content-Type: application/x-www-form-urlencoded” -X POST http://localhost:8080/oauth/token
access protected resource
