[英]Spring Authorization Server: Sending Opaque Token to Introspect endpoint returns "invalid_request"
I am migrating a project to Spring Authorization Server (1.0.0) and have hit an issue.我正在将项目迁移到 Spring 授权服务器 (1.0.0),但遇到了问题。
Despite the lack of much in the way of examples or documentation I have pressed ahead with trying to set it up to return Opaque tokens using the Authorization Code Flow (with PKCE).尽管缺少很多示例或文档,但我一直在努力尝试将其设置为使用授权代码流(使用 PKCE)返回不透明令牌。
I have managed to get the Scheme deployed and hook up all the services and have got to the point where my SPA can send a user to login on the Authorization server and use the code that comes back to get a token from the server.我已经设法部署了 Scheme 并连接了所有服务,并且已经到了我的 SPA 可以发送用户登录授权服务器并使用返回的代码从服务器获取令牌的地步。
The issues come when trying to send that access token to the introspect endpoint (I have not done any configuration on this it has been left as default).尝试将该访问令牌发送到内省端点时出现问题(我没有对此进行任何配置,它已保留为默认值)。
Regardless of what tool I use (Spring Oauth2 Resource server or Postman) when I passs in the access token I am getting the following response.无论我使用什么工具(Spring Oauth2 资源服务器或 Postman),当我传入访问令牌时,我都会收到以下响应。
{
"error": "invalid_request"
}
I have confirmed that the access token exists in the oauth2_authorization table and that the correct client id & secret are being used (incorrect client id or secret on the introspection request returns a different error).我已确认访问令牌存在于 oauth2_authorization 表中,并且正在使用正确的客户端 ID 和密码(内省请求中不正确的客户端 ID 或密码会返回不同的错误)。
There are no errors shown in the console (regardless of log level) so I am getting a bit lost really.控制台中没有显示任何错误(无论日志级别如何)所以我真的有点迷路了。
The documentation seems really limited on this project so wanted to reach out to the community and see if anybody has any examples of how to setup opaque tokens or any ideas where I may be going wrong.这个项目的文档似乎真的很有限,所以想接触社区,看看是否有人有任何关于如何设置不透明令牌的例子,或者我可能会出错的任何想法。
It sounds like we need an official sample or guide in the documentation to demonstrate this setup.听起来我们需要文档中的官方示例或指南来演示此设置。
As it happens, we're presenting on this in our talk "Configuring and Extending Spring Authorization Server" at SpringOne Essentials in a few days (Jan 26, 2023).碰巧的是,我们将在几天后(2023 年 1 月 26 日)在SpringOne Essentials上的“配置和扩展 Spring 授权服务器”演讲中介绍这一点。 I cover both opaque tokens and token introspection in the upcoming talk.
我将在即将到来的演讲中介绍不透明令牌和令牌内省。
The general approach I took to configure the Getting Started example is as follows:我配置入门示例的一般方法如下:
RegisteredClient
into two clients called oidc-client
and messaging-client
RegisteredClient
拆分为两个客户端,分别称为oidc-client
和messaging-client
oidc-client
configured for OIDC, meaning it will remain configured to use JWTsoidc-client
,这意味着它将保持配置以使用 JWTmessaging-client
to use opaque tokens with .tokenSettings(TokenSettings.builder().accessTokenFormat(OAuth2TokenFormat.REFERENCE).build())
messaging-client
更改为使用不透明令牌与.tokenSettings(TokenSettings.builder().accessTokenFormat(OAuth2TokenFormat.REFERENCE).build())
The oidc-client
would then be used just for logging in at the client, so it only needs scopes like openid
and profile
.然后
oidc-client
将仅用于在客户端登录,因此它只需要像openid
和profile
这样的范围。 The messaging-client
would be used by the client to obtain an access token for accessing protected resources at the resource server, so it needs the scopes message.read
and message.write
in this example. messaging-client
将被客户端用来获取访问令牌以访问资源服务器上的受保护资源,因此在此示例中它需要范围message.read
和message.write
。
Splitting the RegisteredClient
into two separate clients is necessary so that JWTs can continue to be used for the UserInfo endpoint[1].将
RegisteredClient
拆分为两个单独的客户端是必要的,以便 JWT 可以继续用于 UserInfo 端点 [1]。
See the following commits for the example:有关示例,请参见以下提交:
[1] Note: It is actually a bit more difficult (though very possible) to configure Spring Authorization Server to use opaque tokens for the UserInfo endpoint. [1]注意:将 Spring 授权服务器配置为对 UserInfo 端点使用不透明令牌实际上有点困难(尽管很有可能)。 It involves configuring an
OpaqueTokenIntrospector
from Spring Security to introspect tokens internally.它涉及从 Spring Security 配置一个
OpaqueTokenIntrospector
以在内部检查令牌。 This would be a fairly advanced setup and possibly somewhat confusing, so we chose not to try and cover it in the talk.这将是一个相当高级的设置,可能会有些混乱,因此我们选择不尝试在演讲中介绍它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.