Spring Boot OAuth2具有基本身份驗證和自定義UserDetailsS​​ervice

Question

我正在嘗試配置能夠完成基本OAuth2流程的OAuth2服務器（請參閱此處的示例）。

為長期問題道歉

我的第一次嘗試是能夠執行authorization_code流程。

我有以下配置：

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig
        extends WebSecurityConfigurerAdapter {

    ....

        @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
              .userDetailsService(userDetailsService)
              .passwordEncoder(passwordEncoder());
    }

...

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .formLogin().loginPage("/login").permitAll()
                .and()
                .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
                .and()
                .authorizeRequests().anyRequest().authenticated();
    }

...

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

我的服務器配置

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorServerConfig
        extends AuthorizationServerConfigurerAdapter {

    @Inject
    private TokenStore tokenStore;

    @Inject
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
            .tokenStore(tokenStore)
            .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security
            .allowFormAuthenticationForClients()
            .checkTokenAccess("authenticated()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        .inMemory()
                .withClient("foo")
                .secret("foo")
                .authorizedGrantTypes("authorization_code","password", "refresh_token")
                .scopes(new String[] { "read", "write" })
    }

事實上我的授權代碼流程正常！ 當我嘗試執行密碼流時，問題開始如下：

POST localhost:8200/oauth/token
Content-Type: application/x-www-form-urlencoded
Accept:application/json
Authorization:Basic Zm9vOmZvbw=="
username=admin&password=admin&grant_type=password&scope=read%20write&client_secret=foo&client_id=foo&

我的問題是Authorization標頭被忽略，無論結果是否相同，它都會返回access_token和refresh_token

如果我嘗試按如下方式啟用基本身份驗證，請啟用ClientUserDetailsS​​ervice，從數據庫JDBC中讀取客戶端：

public class SecurityConfig
        extends WebSecurityConfigurerAdapter {

    ....

@Bean
public ClientDetailsUserDetailsService   clientDetailsUserDetailsService(ClientDetailsService clientDetailsService){
    // JDBC clientDetailsService
    return new ClientDetailsUserDetailsService(clientDetailsService);
}


        @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
              .userDetailsService(clientDetailsUserDetailsService());
    }

...

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    DaoAuthenticationProvider p = new DaoAuthenticationProvider();
    p.setUserDetailsService(userDetailsService);
    p.setPasswordEncoder(passwordEncoder());
    return new ProviderManager(Lists.newArrayList(p));
    //        return super.authenticationManagerBean();
    }

    }

現在我所取得的是讓基本身份驗證正常工作但是我放棄了authorization_code流程，因為基本身份驗證現在是針對clientid和secret而不是用戶的實際憑據完成的

我錯過了什么嗎？ 我怎么能同時擁有這兩種流量？ 請幫忙，我現在已經掙扎了好幾天了。

一些類似的問題，但沒有任何運氣：

• 在Spring Security OAuth2中注入自定義userDetailsS​​ervice的問題
• 未找到Spring Boot OAuth 2.0 UserDetails用戶

Answer 1

我認為這是因為您已經為客戶啟用了表單身份驗證，您使用它而不是Basic頭。

public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    security
        .allowFormAuthenticationForClients()
        .checkTokenAccess("authenticated()");
}

取出.allowFormAuthenticationForClients() 。