[英]Spring Boot OAuth2 with basic authentication and custom UserDetailsService
我正在嘗試配置能夠完成基本OAuth2流程的OAuth2服務器(請參閱此處的示例)。
為長期問題道歉
我的第一次嘗試是能夠執行authorization_code流程。
我有以下配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig
extends WebSecurityConfigurerAdapter {
....
@Inject
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login").permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
}
...
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
我的服務器配置
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorServerConfig
extends AuthorizationServerConfigurerAdapter {
@Inject
private TokenStore tokenStore;
@Inject
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
.allowFormAuthenticationForClients()
.checkTokenAccess("authenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
.inMemory()
.withClient("foo")
.secret("foo")
.authorizedGrantTypes("authorization_code","password", "refresh_token")
.scopes(new String[] { "read", "write" })
}
事實上我的授權代碼流程正常! 當我嘗試執行密碼流時,問題開始如下:
POST localhost:8200/oauth/token
Content-Type: application/x-www-form-urlencoded
Accept:application/json
Authorization:Basic Zm9vOmZvbw=="
username=admin&password=admin&grant_type=password&scope=read%20write&client_secret=foo&client_id=foo&
我的問題是Authorization標頭被忽略,無論結果是否相同,它都會返回access_token和refresh_token
如果我嘗試按如下方式啟用基本身份驗證,請啟用ClientUserDetailsService,從數據庫JDBC中讀取客戶端:
public class SecurityConfig
extends WebSecurityConfigurerAdapter {
....
@Bean
public ClientDetailsUserDetailsService clientDetailsUserDetailsService(ClientDetailsService clientDetailsService){
// JDBC clientDetailsService
return new ClientDetailsUserDetailsService(clientDetailsService);
}
@Inject
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(clientDetailsUserDetailsService());
}
...
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
DaoAuthenticationProvider p = new DaoAuthenticationProvider();
p.setUserDetailsService(userDetailsService);
p.setPasswordEncoder(passwordEncoder());
return new ProviderManager(Lists.newArrayList(p));
// return super.authenticationManagerBean();
}
}
現在我所取得的是讓基本身份驗證正常工作但是我放棄了authorization_code流程,因為基本身份驗證現在是針對clientid和secret而不是用戶的實際憑據完成的
我錯過了什么嗎? 我怎么能同時擁有這兩種流量? 請幫忙,我現在已經掙扎了好幾天了。
一些類似的問題,但沒有任何運氣:
我認為這是因為您已經為客戶啟用了表單身份驗證,您使用它而不是Basic頭。
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
.allowFormAuthenticationForClients()
.checkTokenAccess("authenticated()");
}
取出.allowFormAuthenticationForClients()
。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.