Spring 安全 oauth2 客户端 - 重定向过多
[英]Spring security oauth2 client - too many redirect
问题描述
This is my application property file:
这是我的应用程序属性文件:
spring.security.oauth2.client.registration.myclient.client-id=SampleClientId
spring.security.oauth2.client.registration.myclient.client-secret=secret
spring.security.oauth2.client.provider.myclient.authorization-uri=http://localhost:8081/auth/oauth/authorize
spring.security.oauth2.client.provider.myclient.token-uri=http://localhost:8081/auth/oauth/token
spring.security.oauth2.client.provider.myclient.user-info-uri=http://localhost:8081/auth/user/me
spring.security.oauth2.client.registration.myclient.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.myclient.redirect-uri=http://localhost:8080/hellouser
spring.security.oauth2.client.provider.myclient.userNameAttribute=user
This is my configuration class:这是我的配置 class:
@Configuration class SecurityConfig extends WebSecurityConfigurerAdapter {
@throws[Exception]
override protected def configure(http: HttpSecurity): Unit = {
http.authorizeRequests.anyRequest.authenticated.and.oauth2Login
.redirectionEndpoint()
.baseUri("/")
}
}
and this my controller:这是我的 controller:
case class Message(val string: String)
@Controller
class SuccessController {
@GetMapping(path = Array("/hellouser"), produces = Array(MediaType.APPLICATION_JSON_VALUE))
def getHelloUser(model: Model, authentication: OAuth2AuthenticationToken ): Message = {
Message("hello user")
}
}
When I do login, I get back ERR_TOO_MANY_REDIRECTS当我登录时,我会返回ERR_TOO_MANY_REDIRECTS
In network section of developer console I see these three call are infinitely repeated:在开发者控制台的网络部分,我看到这三个调用被无限重复:
http://localhost:8081/auth/oauth/authorize?response_type=code&client_id=SampleClientId&state=xyz&redirect_uri=http://localhost:8080/hellouser
http://localhost:8080/hellouser?code=abc&state=xyz
http://localhost:8080/oauth2/authorization/myclient
What I am doing wrong?我做错了什么?
Thank you谢谢
1 个解决方案
解决方案1
5 已采纳 2020-06-16 11:19:23
Do not set your re-direct URI to an API.不要将重定向 URI 设置为 API。
The redirect URI in the authorization code flow is used to pick up the authorization code so it then can be exchanged for tokens.授权代码流中的重定向 URI 用于获取授权代码,然后可以将其交换为令牌。
What is happening in your setup is您的设置中发生的事情是
- Request Starts请求开始
- User is not logged in用户未登录
- Redirect to Authorization login重定向到授权登录
- Redirect back from IdP to predetermined URI从 IdP 重定向回预定的 URI
- Request to API
/helloworld请求 API /helloworld - Go to step 2. Go 到步骤 2。
https://auth0.com/docs/flows/concepts/auth-code has a visual of this, you are not making it to step 4, but short circuiting the flow back to step 1 https://auth0.com/docs/flows/concepts/auth-code可以看到这一点,您没有进入第 4 步,而是将流程短路回到第 1 步
Your config makes it that the auth code flow never completes.您的配置使身份验证代码流永远不会完成。 You should just keep the Spring default redirect URI and remove spring.security.oauth2.client.registration.myclient.redirect-uri=http://localhost:8080/hellouser您应该只保留 Spring 默认重定向 URI 并删除spring.security.oauth2.client.registration.myclient.redirect-uri=http://localhost:8080/hellouser
Nor should you need to set the redirectionEndpoint#baseUri config.您也不需要设置redirectionEndpoint#baseUri配置。
Edit,编辑,
Aditional clarification is that with Spring Security the initial request at step 1 is saved, and when the Authorization Code Flow completes at step 4 Spring will automatically replay the saved request.另外需要说明的是,使用 Spring 安全性,步骤 1 的初始请求被保存,当授权代码流程在步骤 4 完成时,Spring 将自动重播保存的请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.