使用 Spring security oauth,使用自定义 OAuth 提供程序,我得到 [authorization_request_not_found],我应该自己处理回调方法吗?
[英]Using Spring security oauth, using a custom OAuth provider, I get [authorization_request_not_found], should I handle the callback method myself?
问题描述
Using Spring Security 5 oauth I successfully ran through the whole authentication/authorization cycle using Google as OAuth provider, but I am stuck if I use an OAuth provider that I made myself, running on a different application.
使用 Spring Security 5 oauth 我成功地使用 Google 作为 OAuth 提供程序完成了整个身份验证/授权周期,但是如果我使用我自己制作的在不同应用程序上运行的 OAuth 提供程序,我就会陷入困境。
I'm using the following 2 dependencies:我正在使用以下 2 个依赖项:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
Using Google, I just configured this:使用谷歌,我刚刚配置了这个:
spring.security.oauth2.client.registration.google.client-id=xxx
spring.security.oauth2.client.registration.google.client-secret=xxx
When using Google (or Facebook, Github or Okta), there is a default configuration that takes care of other settings.使用 Google(或 Facebook、Github 或 Okta)时,有一个默认配置负责其他设置。
Now I created my own OAuth provider.现在我创建了自己的 OAuth 提供程序。 This is also a Spring Boot application configured with @EnableAuthorizationServer and otherwise fairly standard, though it has custom principals.这也是一个使用@EnableAuthorizationServer配置的 Spring Boot 应用程序,其他方面相当标准,尽管它具有自定义主体。 This is also running on localhost but port 8081. The configuration in the resource server is as such:这也在本地主机上运行,但端口为 8081。资源服务器中的配置如下:
spring.security.oauth2.client.registration.bx.client-id=xxx
spring.security.oauth2.client.registration.bx.client-secret=xxx
spring.security.oauth2.client.registration.bx.client-name=bx
spring.security.oauth2.client.registration.bx.provider=bx
spring.security.oauth2.client.registration.bx.scope=user
spring.security.oauth2.client.registration.bx.redirect-uri-template=http://localhost:8080/login/oauth2/code/bx
spring.security.oauth2.client.registration.bx.client-authentication-method=basic
spring.security.oauth2.client.registration.bx.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.bx.authorization-uri=http://localhost:8081/oauth/authorize
spring.security.oauth2.client.provider.bx.token-uri=http://localhost:8081/oauth/token
spring.security.oauth2.client.provider.bx.user-info-uri=http://localhost:8081/oauth/userInfo
spring.security.oauth2.client.provider.bx.user-name-attribute=name
When trying to use this to log in I am properly redirected to the OAuth provider, where I can log in and allow access to the requested scope using the default generated interface:当尝试使用它登录时,我被正确重定向到 OAuth 提供程序,在那里我可以登录并允许使用默认生成的界面访问请求的范围:
After hitting authorize, I get stuck on the callback part.点击授权后,我卡在回调部分。 I can see a callback to我可以看到回调
http://localhost:8080/login/oauth2/code/bx?code=xxx&state=xxx
coming back from the oauth server and this results in a default HTML page in Spring being shown with the information:从 oauth 服务器返回,这会导致 Spring 中的默认 HTML 页面显示以下信息:
Your login attempt was not successful, try again.
Reason: [authorization_request_not_found]
Login with OAuth 2.0
bx
The log in the resource server is quite long, but I extracted the helpful part:资源服务器的日志比较长,但是我提取了有用的部分:
19:20:07.985 [http-nio-8080-exec-9] DEBUG o.a.coyote.http11.Http11InputBuffer - Received [GET /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3463.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:8081/oauth/authorize?response_type=code&client_id=brain&scope=user&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D&redirect_uri=http://localhost:8080/login/oauth2/code/bx
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=4DE280E17D7ED7969E9AF2434E8292E9
]
19:20:07.986 [http-nio-8080-exec-9] DEBUG o.a.t.u.http.Rfc6265CookieProcessor - Cookies: Parsing b[]: JSESSIONID=4DE280E17D7ED7969E9AF2434E8292E9
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.a.catalina.connector.CoyoteAdapter - Requested cookie session id is 4DE280E17D7ED7969E9AF2434E8292E9
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.a.c.a.AuthenticatorBase - Security checking request GET /login/oauth2/code/bx
19:20:07.987 [http-nio-8080-exec-9] DEBUG org.apache.catalina.realm.RealmBase - No applicable constraints defined
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.a.c.a.AuthenticatorBase - Not subject to any constraint
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.b.w.s.f.OrderedRequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade@15328743
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login/oauth2/code/bx'; against '/logout'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login/oauth2/code/bx' doesn't match 'POST /logout
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login/oauth2/code/bx' doesn't match 'PUT /logout
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login/oauth2/code/bx' doesn't match 'DELETE /logout
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 6 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login/oauth2/code/bx'; against '/oauth2/authorization/{registrationId}'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 7 of 14 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login/oauth2/code/bx'; against '/login/oauth2/code/*'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.o.c.w.OAuth2LoginAuthenticationFilter - Request is to process authentication
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.apache.tomcat.util.http.Parameters - Set encoding to UTF-8
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.apache.tomcat.util.http.Parameters - Decoding query null UTF-8
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.apache.tomcat.util.http.Parameters - Start processing with input [code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D]
19:20:07.991 [http-nio-8080-exec-9] DEBUG o.s.s.o.c.w.OAuth2LoginAuthenticationFilter - Authentication request failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:145)
... and some more stack trace that doesn't seem relevant ...以及更多似乎不相关的堆栈跟踪
When looking at the source code of where the exception is being thrown, from https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java it is showing the following code starting at line 145:查看抛出异常的源代码时,来自https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-client/src/main/java/org/springframework /security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java它显示了从第 145 行开始的以下代码:
OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestRepository.removeAuthorizationRequest(request);
if (authorizationRequest == null) {
OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
What does this message mean exactly?这个消息究竟是什么意思? How could I have gotten in this state?我怎么会变成这种状态?
Or am I supposed to add a handler myself for the callback url and write custom code to obtain the actual access token?或者我应该自己为回调 url 添加一个处理程序并编写自定义代码来获取实际的访问令牌? Surely the library should be handling this?图书馆当然应该处理这个吗? Why is this case handled automatically for Google as OAuth provider?为什么 Google 作为 OAuth 提供者会自动处理这种情况?
I'm happy to provide any code/further configuration.我很高兴提供任何代码/进一步的配置。
6 个解决方案
解决方案1
7 已采纳 2018-06-18 12:18:13
These error means , that authorization request doesn't found.这些错误意味着未找到该授权请求。 authorization request is stored in session, so some how session is not getting stored. authorization request存储在会话中,因此某些会话没有被存储。 by default session is managed by cookie .默认会话由cookie管理。
So I think that might be because you are running everything on localhost, so first cookie is set by localhost:8080 to store the authorization request session data, & when you login to localhost:8081 it'll set another cookie for it's session.所以我认为这可能是因为你在 localhost 上运行所有东西,所以第一个 cookie 由localhost:8080设置来存储授权请求会话数据,当你登录到localhost:8081它会为它的会话设置另一个 cookie。
解决方案2
1 2021-08-28 09:33:21
I have the same issue like you.我和你有同样的问题。 After I researched this problem i found the answer on https://github.com/spring-projects/spring-security/issues/5946 .在我研究了这个问题后,我在https://github.com/spring-projects/spring-security/issues/5946上找到了答案。 The only thing you need is config you hosts file.您唯一需要的是配置您的主机文件。 Here is my config.这是我的配置。 I'm using Windows:我正在使用 Windows:
*127.0.0.1 localhost auth-server*
May be it's helpful.可能会有所帮助。 I'm using Google translate to write the answer.我正在使用谷歌翻译来写答案。
解决方案3
0 2020-12-14 18:20:12
I was able to fix this by forcing a session to be created on the endpoint that redirects to the oauth2 jose flow.我能够通过强制在重定向到 oauth2 jose 流的端点上创建会话来解决此问题。 Spring's default session creation policy is "if required". Spring 的默认会话创建策略是“如果需要”。 My theory was that it was redirecting to the openId flows without first creating a session.我的理论是它在没有首先创建会话的情况下重定向到 openId 流。
http.authorizeRequests()
.mvcMatchers("/<yourProvider>/login")
.authenticated()
.anyRequest()
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.and()
...
If anyone has any better ideas or solutions please comment or post.如果有人有更好的想法或解决方案,请发表评论或发表。
Our client is configured to go to the /yourProvider/login in order to authorize.我们的客户端配置为转到 /yourProvider/login 以进行授权。
解决方案4
0 2020-12-21 08:40:06
I got the same error but the problem was not session but wrongly configured "user-attribute-name".我遇到了同样的错误,但问题不是会话而是错误配置的“用户属性名称”。
Analysis steps分析步骤
- After checking server logs I found username not found (or something similar) error.检查服务器日志后,我发现找不到用户名(或类似的东西)错误。
- I copied generated access token to the online decryptor ( https://jwt.io/ ) and saw, that my user attribute name is not user or name but user_name.我将生成的访问令牌复制到在线解密器 ( https://jwt.io/ ) 并看到,我的用户属性名称不是用户或名称,而是 user_name。
- Added that to spring.security.oauth2.provider..user_name_attribure将其添加到 spring.security.oauth2.provider..user_name_attribure
Everything began to work.一切都开始起作用了。
解决方案5
0 2021-06-21 21:35:56
如果您在 Kubernetes 上运行或在负载均衡器后面运行并且忘记激活“粘性会话”以便您的请求最终在不同的主机上,您也会收到此消息。
解决方案6
0 2021-12-06 17:49:25
I had the same error but not in a local context but with a real network context.我有同样的错误,但不是在本地环境中,而是在真实的网络环境中。 The problem was that the application server nginx had the rule SameSite=Strict;问题是应用服务器 nginx 有规则 SameSite=Strict; This broke the redirection process of the oauth authorization code flow.这破坏了 oauth 授权代码流的重定向过程。 This is well explained here even if, in this case, this is not the spring security library which is involved.这在这里得到了很好的解释,即使在这种情况下,这不是所涉及的 spring 安全库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.