堆栈内存溢出
  简体   繁体   English

Spring OAuth2隐式流程-Auth服务器未处理POST / oauth / authorize请求

[英]Spring OAuth2 Implicit Flow - Auth server not processing the POST /oauth/authorize request

 原文  2017-03-17 12:01:29       spring/ spring-security/ oauth-2.0/ spring-security-oauth2

问题描述

I have an authorization server ( http://localhost:8082 ), resource server and implicit client ( http://localhost:8080 ) project. 我有一个授权服务器( http:// localhost:8082 ),资源服务器和隐式客户端( http:// localhost:8080 )项目。 The problem is that when the client asks for the authorization (token), the auth server shows the login screen but after the successful login it redirects to GET http://localhost:8082/ instead of to http://localhost:8082/authorize?client_id= ... (as requested by the client) 问题在于,当客户端请求授权(令牌)时,身份验证服务器会显示登录屏幕,但成功登录后,它将重定向到GET http:// localhost:8082 /而不是http:// localhost:8082 / authorize?client_id = ...(应客户要求)

I am seeing this log: 我看到此日志:

Implicit client: 隐式客户端: 

.s.o.c.t.g.i.ImplicitAccessTokenProvider : Retrieving token from http://localhost:8082/oauth/authorize
o.s.web.client.RestTemplate              : Created POST request for "http://localhost:8082/oauth/authorize"
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Encoding and sending form: {response_type=[token], client_id=[themostuntrustedclientid], scope=[read_users write_users], redirect_uri=[http://localhost:8080/api/accessTokenExtractor]}
o.s.web.client.RestTemplate              : POST request for "http://localhost:8082/oauth/authorize" resulted in 302 (null)
o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor'

Auth Server: 验证服务器: 

o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /oauth/authorize' doesn't match 'GET /**
o.s.s.w.util.matcher.AndRequestMatcher   : Did not match
o.s.s.w.s.HttpSessionRequestCache        : Request not saved as configured RequestMatcher did not match
o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://localhost:8082/login'

The implicit client is POSTing for /oauth/authorize, instead of GETting it, and the authserver doesn't store POST requests. 隐式客户端正在为/ oauth / authorize进行发布,而不是获取它,并且authserver不存储POST请求。 The auth server returns a redirect 302 and the implicit client redirects the browser to this url: http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor 身份验证服务器返回重定向302,隐式客户端将浏览器重定向到该URL: http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor

After successful login the auth server doesn't have a target url so it shows http://localhost:8082/ so it doesn't process any /oauth/authorize request... Where is the problem? 成功登录后,身份验证服务器没有目标URL,因此它显示http:// localhost:8082 /,因此它不处理任何/ oauth / authorize请求...问题出在哪里?

AUTH SERVER CONFIG: 认证服务器配置: 

@Configuration
class OAuth2Config extends AuthorizationServerConfigurerAdapter{

    @Autowired
    private AuthenticationManager authenticationManager

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("themostuntrustedclientid")
            .secret("themostuntrustedclientsecret")
            .authorizedGrantTypes("implicit")
            .authorities("ROLE_USER")
            .scopes("read_users", "write_users")
            .accessTokenValiditySeconds(60)     
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(this.authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        //security.checkTokenAccess('hasRole("ROLE_RESOURCE_PROVIDER")')
        security.checkTokenAccess('isAuthenticated()')
    }

}

@Configuration
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER').and()
                                     .withUser("themostuntrustedclientid").password("themostuntrustedclientsecret").roles('USER')
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf()
            //
            //XXX Si se usa implicit descomentar
            .ignoringAntMatchers("/oauth/authorize")
            .and()
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        //.httpBasic()
        .formLogin()
            .loginPage("/login").permitAll()
    }

}

IMPLICIT CLIENT CONFIG: 隐式客户端配置: 

@Configuration
class OAuth2Config {

    @Value('${oauth.authorize:http://localhost:8082/oauth/authorize}')
    private String authorizeUrl

    @Value('${oauth.token:http://localhost:8082/oauth/token}')
    private String tokenUrl

    @Autowired
    private OAuth2ClientContext oauth2Context

    @Bean
    OAuth2ProtectedResourceDetails resource() {
        ImplicitResourceDetails resource = new ImplicitResourceDetails()
        resource.setAuthenticationScheme(AuthenticationScheme.header)
        resource.setAccessTokenUri(authorizeUrl)
        resource.setUserAuthorizationUri(authorizeUrl);
        resource.setClientId("themostuntrustedclientid")
        resource.setClientSecret("themostuntrustedclientsecret")
        resource.setScope(['read_users', 'write_users'])
        resource
    }

    @Bean
    OAuth2RestTemplate restTemplate() {
        OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource(), oauth2Context)
        //restTemplate.setAuthenticator(new ApiConnectOAuth2RequestAuthenticator())
        restTemplate
    }

@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.eraseCredentials(false)
            .inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER')
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf()
            .ignoringAntMatchers("/accessTokenExtractor")
        .and()
        .authorizeRequests()
        .anyRequest().hasRole('USER')
        .and()
        .formLogin()
            .loginPage("/login").permitAll()
    }

}

1 个解决方案

解决方案1
 0 已采纳  2017-03-21 10:04:52

The problem was in the SecurityConfig of the Auth server. 问题出在Auth服务器的SecurityConfig中。 The implicit client sends automatically a basic Authorization header with the client_id and client_secret. 隐式客户端自动发送带有client_id和client_secret的基本授权标头。 My Auth server was configured to use form login instead of basic auth. 我的身份验证服务器配置为使用表单登录而不是基本身份验证。 I changed it and now it works as expected: 我更改了它,现在它可以按预期工作: 

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf()
        //
        //XXX Si se usa implicit descomentar
        .ignoringAntMatchers("/oauth/authorize")
        .and()
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .httpBasic()

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Oauth2隐式流 - Spring Oauth2 implicit flow Spring Boot OAuth2隐式流+表单登录和请求方法'POST'不支持错误 - Spring Boot OAuth2 implicit flow + form login and Request method 'POST' not supported error Spring OAuth2隐式流重定向URL - Spring OAuth2 implicit flow redirect url Spring auth 服务器代码授权通过 Postman 为端点 /oauth2/authorize 返回 401 未授权 - Spring auth server code grant returns 401 unauthorized for endpoint /oauth2/authorize via Postman Spring 启动,OAuth2 自定义身份验证服务器 - Spring Boot, OAuth2 Custom Auth Server Spring OAuth2 Auth Server:特定的/ oauth / token过滤器? - Spring OAuth2 Auth Server: a specific /oauth/token filter? Spring OAuth安全性-隐式流程 - Spring OAuth security - Implicit flow Spring OAuth2-使用其他信息授权URL - Spring OAuth2 - Authorize URLs with Additional Information Spring Security:对请求体进行两次反序列化(oauth2处理) - Spring Security: deserialize request body twice (oauth2 processing) Spring Oauth2 SSO-无法从Auth服务器注销 - Spring Oauth2 SSO - Unable to logout from the Auth server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM