由於缺少CSRF'保留狀態'，Spring-Oauth2訪問令牌請求永遠不會成功

Question

在過去的幾天里，我一直在使用spring-security-oauth2來實現spring boot / spring security /和java配置。 我已經設法解決了大部分困難，但我對現在出了什么問題感到難過。

我正在成功完成以下步驟：

• 將用戶發送給提供商以授權應用程序代表他們行事
• 系統會提示用戶按安全性登錄提供程序
• 用戶授權應用程序，重定向URL將它們發送回原始URL的客戶端應用程序以及查詢字符串中的?code=asdfa&state=asdfasf

此時，我相信使用AuthorizationCodeResourceDetails任何內容應該是為訪問令牌交換授權代碼和客戶端應用程序憑據。 這是進程因以下堆棧跟蹤而失敗的地方。

 Caused by: org.springframework.security.oauth2.common.exceptions.InvalidRequestException: Possible CSRF detected - state parameter was present but no state could be found
    at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getParametersForTokenRequest(AuthorizationCodeAccessTokenProvider.java:246)
    at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:198)
    at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:142)
    at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:118)
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:221)
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173)
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.createRequest(OAuth2RestTemplate.java:105)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:564)
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.doExecute(OAuth2RestTemplate.java:128)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:529)
    at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:261)
    at com.pvr.apps.admin.user.UserServiceImpl.getAllUsers(UserServiceImpl.java:51)
    at com.pvr.apps.admin.web.IndexController.serveUserList(IndexController.java:35)

客戶端上的東西看起來像（我在主配置上也有@EnableOAuth2Client注釋）。

@Component
public class UserServiceImpl implements UserService {

    @Resource
    @Qualifier("accessTokenRequest")
    private AccessTokenRequest accessTokenRequest;

    public OAuth2ProtectedResourceDetails createResource() {
        AuthorizationCodeResourceDetails resourceDetails = new AuthorizationCodeResourceDetails();
        resourceDetails.setScope(Lists.newArrayList("read", "write"));
        resourceDetails.setClientId("admin");
        resourceDetails.setClientSecret("password");
        resourceDetails.setAuthenticationScheme(AuthenticationScheme.query);
        resourceDetails.setAccessTokenUri("http://provider.com:8080/oauth/token");
        resourceDetails.setUserAuthorizationUri("http://provider.com:8080/oauth/authorize");
        return resourceDetails;
    }

    @Override
    public List<User> getAllUsers() {

        RestTemplate template = new OAuth2RestTemplate(createResource(), new DefaultOAuth2ClientContext(accessTokenRequest));

        ResponseEntity<User[]> responseEntity = template.getForEntity("http://provider.com:8080/users/", User[].class);
        return Lists.newArrayList(responseEntity.getBody());
    }
}

在提供商方面：

授權服務器配置：

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter{

    @Autowired
    private LoginUrlAuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    private AuthenticationManager authenticationManager;


    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer
                .authenticationEntryPoint(authenticationEntryPoint)
                .tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
                .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

        endpoints
                .authenticationManager(authenticationManager)
                .accessTokenConverter(converter)
                .tokenStore(new JwtTokenStore(converter));
    }


    // TODO: this should read from a db
    public void configure(ClientDetailsServiceConfigurer clientConfigurer) throws Exception {
        clientConfigurer.inMemory()
                .withClient("admin").secret("password")
                .authorizedGrantTypes(
                        GrantType.PASSWORD.type,
                        GrantType.AUTHORIZATION_CODE.type,
                        GrantType.IMPLICIT.type,
                        GrantType.REFRESH_TOKEN.type
                )
                .authorities("ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(60);
    }
}

和資源服務器配置：

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MySecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserDetailsService userDetailService;

    @Autowired
    AuthenticationProvider authenticationProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .loginProcessingUrl("/login.do")
                    .usernameParameter("uid")
                    .passwordParameter("pwd")
                    .loginPage("/login")
                    .failureUrl("/login?error=true")
            .and()
                .userDetailsService(userDetailService);
    }

}

Answer 1

它正在尋找的狀態將在OAuth2ClientContext但由於您剛剛創建了一個新的狀態，因此在需要時它超出了范圍。 如果您注入來自@EnableOAuth2Client ，它將在@Scope("session")因此它將能夠為您解析狀態。 GitHub中的所有樣本都以這種方式工作。 或者你可以自己管理持久性，我想。