Spring Security OAuth2 | InsufficientAuthenticationException
[英]Spring Security OAuth2 | InsufficientAuthenticationException
问题描述
I am trying to build an OAuth2 authorization server using Spring Security OAuth2 (2.0.6.RELEASE). 
我正在尝试使用Spring Security OAuth2(2.0.6.RELEASE)构建OAuth2授权服务器。
This is how my relevant configuration looks:- 这是我的相关配置的外观: -
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationConfig extends
AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
/*
* (non-Javadoc)
*
* @see
* org.springframework.security.oauth2.config.annotation.web.configuration
* .AuthorizationServerConfigurerAdapter
* #configure(org.springframework.security
* .oauth2.config.annotation.web.configurers
* .AuthorizationServerEndpointsConfigurer)
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(authenticationManager);
}
/*
* (non-Javadoc)
*
* @see
* org.springframework.security.oauth2.config.annotation.web.configuration
* .AuthorizationServerConfigurerAdapter
* #configure(org.springframework.security
* .oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer)
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
// OAuth2 CLIENT CONFIGURATION !!!!!
clients.inMemory().withClient("sambhav").secret("sambhav")
.authorizedGrantTypes("authorization_code")
.scopes("openid", "all").redirectUris("http:localhost:9001");
}
/*
* (non-Javadoc)
*
* @see
* org.springframework.security.oauth2.config.annotation.web.configuration
* .AuthorizationServerConfigurerAdapter
* #configure(org.springframework.security
* .oauth2.config.annotation.web.configurers
* .AuthorizationServerSecurityConfigurer)
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
throws Exception {
super.configure(security);
}
}
Using Spring Boot embedded jetty, during startup I see that OAuth2 endpoints do get registered in my logs. 使用Spring Boot嵌入式jetty,在启动过程中,我发现OAuth2端点确实已在我的日志中注册。
While trying to hit (using Postman) the /oauth/authorize POST endpoint with client_id=sambhav,response_type=code,redirect_uri=http://localhost:9001,scope=all, I am getting 500 error in response with the following error:- 尝试命中(使用Postman)/ oauth /授权POST端点时, client_id=sambhav,response_type=code,redirect_uri=http://localhost:9001,scope=all,我收到500错误以响应以下错误: -
{"timestamp":1423055109697,"status":500,"error":"Internal Server Error","exception":"org.springframework.security.authentication.InsufficientAuthenticationException","message":"User must be authenticated with Spring Security before authorization can be completed.","path":"/oauth/authorize"}
Looking at the logs, I can see that there is check for authentication in class org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint 's method authorize :- 查看日志,我可以看到在类org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint的方法authorize检查身份验证: -
@RequestMapping(value = "/oauth/authorize")
public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<String, String> parameters,
SessionStatus sessionStatus, Principal principal) {
// Pull out the authorization request first, using the OAuth2RequestFactory. All further logic should
// query off of the authorization request instead of referring back to the parameters map. The contents of the
// parameters map will be stored without change in the AuthorizationRequest object once it is created.
AuthorizationRequest authorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(parameters);
Set<String> responseTypes = authorizationRequest.getResponseTypes();
if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
}
if (authorizationRequest.getClientId() == null) {
throw new InvalidClientException("A client id must be provided");
}
try {
// THIS check causes the problem
if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
throw new InsufficientAuthenticationException(
"User must be authenticated with Spring Security before authorization can be completed.");
}
PROBLEM 问题
Why is an already established Authentication required for the authorize step? 为什么授权步骤需要已建立的身份验证?
Whose authorization (user or client) is required? 需要谁的授权(用户或客户)? How do I do that? 我怎么做? Using client_id/client_secret combo? 使用client_id / client_secret组合?
1 个解决方案
解决方案1
3 已采纳 2015-02-05 09:16:57
The authorization_code grant gives a client access to a resource server if the user (aka resource owner) allows it. 如果用户(也称为资源所有者)允许,则authorization_code grant授予客户端对资源服务器的访问权限。
You are trying to access the page where the user can grant authorization to the client but you are not logged in as a user so Spring Security can't know who is supposed to authorize the client (sambhav) in your example. 您正在尝试访问用户可以向客户端授予权限但您没有以用户身份登录的页面,因此Spring Security无法知道在您的示例中谁应该授权客户端(sambhav)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.