Spring安全性Oauth2资源所有者密码凭证授权
[英]Spring security Oauth2 Resource Owner Password Credentials Grant
问题描述
Have just installed spring security oauth2 in my eclipse IDE. 
刚刚在我的eclipse IDE中安装了spring security oauth2。 The service am trying to implement will be consumed by second party users through their installed applications hence i chose to use password grant type. 我试图实现的服务将由第二方用户通过其安装的应用程序使用,因此我选择使用密码授予类型。 As per my understanding of Oauth2 the following request should work for the demo sparklr2 service without the need of me encording the username and password parameters. 根据我对Oauth2的理解,以下请求应该适用于演示sparklr2服务,而无需我使用用户名和密码参数。 ie 即
POST http://localhost:8080/sparklr2/oauth/token?grant_type=password&client_id=my-trusted-client&scope=trust&username=marissa&password=koala
but i keep getting 但我一直在
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
am i missing something in this request or do i need to enable something in the repo 我在这个请求中遗漏了什么,或者我需要在回购中启用一些东西
2 个解决方案
解决方案1
7 2016-12-29 12:47:31
Although the question is a bit old, I would like to contribute with my findings around this. 虽然问题有点陈旧,但我想就此发表我的研究结果。
It is true that for Spring OAuth you need to specify a client ID in order to access to the token endpoint, but it is not necessary to specify client Secret for password grant type. 确实,对于Spring OAuth,您需要指定一个客户端ID才能访问令牌端点,但是没有必要为密码授予类型指定客户端密钥。
Next lines are an example of an Authorization Server client for password grant type without any client Secret. 下一行是没有任何客户端密钥的密码授予类型的授权服务器客户端的示例。 Yout just need to add them in your class that extends AuthorizationServerConfigurerAdapter : Yout只需要在扩展AuthorizationServerConfigurerAdapter的类中添加它们:
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("clientId")
.authorizedGrantTypes("password")
.authorities("ROLE_CLIENT")
.scopes("read");
}
}
Furthermore, it is indeed possible to avoid the HTTP Basic Authentication in the token endpoint and add our client_id as another request parameter in our POST call. 此外,确实可以避免令牌端点中的HTTP基本身份验证,并将我们的client_id添加为POST调用中的另一个请求参数。
To achieve this, you just need to add these lines in the same class as before: 要实现这一点,您只需要将这些行添加到与以前相同的类中:
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
Now we can call the token endpoint by this way, which seems more correct following the examples found in Stormpath webpage 现在我们可以通过这种方式调用令牌端点,这看起来更符合Stormpath网页中的示例
POST http://localhost:8080/sparklr2/oauth/token?grant_type=password&client_id=clientId&scope=read&username=marissa&password=koala
解决方案2
6 已采纳 2014-07-12 21:29:58
It seems like Spring OAuth2 doesn't support the password grant type for a secret-less OAuth2 client. 似乎Spring OAuth2不支持无秘密OAuth2客户端的密码授予类型。 This might be as per the OAuth2 spec: http://tools.ietf.org/html/rfc6749#section-4.3.2 , although the spec seems to indicate that the client authentication is not always required (that's not very clear to me). 这可能是根据OAuth2规范: http : //tools.ietf.org/html/rfc6749#section-4.3.2 ,虽然规范似乎表明客户端身份验证并不总是需要的(这对我来说不是很清楚)。
That means that when calling the token endpoint using the password grant type, you need to pass in the client ID and secret (using basic auth), which also mean that you can't use the password grant if the client does not have a secret (you might still be able to use the implicit flow). 这意味着当使用密码授予类型调用令牌端点时,您需要传入客户端ID和密码(使用基本身份验证),这也意味着如果客户端没有秘密,则无法使用密码授予(您可能仍然可以使用隐式流程)。
In sparklr2, my-trusted-client does not have a secret defined which is why your call fails. 在sparklr2中, my-trusted-client没有定义秘密,这就是您的呼叫失败的原因。
If you want to see the password grant type in action you can try my-trusted-client-with-secret : 如果您想要查看密码授予类型,您可以尝试my-trusted-client-with-secret :
curl -u my-trusted-client-with-secret:somesecret "http://localhost:8080/sparklr2/oauth/token?grant_type=password&username=marissa&password=koala"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.