[英]Spring OAuth2 Implicit Flow - Auth server not processing the POST /oauth/authorize request
我有一個授權服務器( http:// localhost:8082 ),資源服務器和隱式客戶端( http:// localhost:8080 )項目。 問題在於,當客戶端請求授權(令牌)時,身份驗證服務器會顯示登錄屏幕,但成功登錄后,它將重定向到GET http:// localhost:8082 /而不是http:// localhost:8082 / authorize?client_id = ...(應客戶要求)
我看到此日志:
隱式客戶端:
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Retrieving token from http://localhost:8082/oauth/authorize
o.s.web.client.RestTemplate : Created POST request for "http://localhost:8082/oauth/authorize"
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Encoding and sending form: {response_type=[token], client_id=[themostuntrustedclientid], scope=[read_users write_users], redirect_uri=[http://localhost:8080/api/accessTokenExtractor]}
o.s.web.client.RestTemplate : POST request for "http://localhost:8082/oauth/authorize" resulted in 302 (null)
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor'
驗證服務器:
o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/authorize' doesn't match 'GET /**
o.s.s.w.util.matcher.AndRequestMatcher : Did not match
o.s.s.w.s.HttpSessionRequestCache : Request not saved as configured RequestMatcher did not match
o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8082/login'
隱式客戶端正在為/ oauth / authorize進行發布,而不是獲取它,並且authserver不存儲POST請求。 身份驗證服務器返回重定向302,隱式客戶端將瀏覽器重定向到該URL: http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor
成功登錄后,身份驗證服務器沒有目標URL,因此它顯示http:// localhost:8082 /,因此它不處理任何/ oauth / authorize請求...問題出在哪里?
認證服務器配置:
@Configuration
class OAuth2Config extends AuthorizationServerConfigurerAdapter{
@Autowired
private AuthenticationManager authenticationManager
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("themostuntrustedclientid")
.secret("themostuntrustedclientsecret")
.authorizedGrantTypes("implicit")
.authorities("ROLE_USER")
.scopes("read_users", "write_users")
.accessTokenValiditySeconds(60)
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(this.authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
//security.checkTokenAccess('hasRole("ROLE_RESOURCE_PROVIDER")')
security.checkTokenAccess('isAuthenticated()')
}
}
@Configuration
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER').and()
.withUser("themostuntrustedclientid").password("themostuntrustedclientsecret").roles('USER')
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
//
//XXX Si se usa implicit descomentar
.ignoringAntMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
//.httpBasic()
.formLogin()
.loginPage("/login").permitAll()
}
}
隱式客戶端配置:
@Configuration
class OAuth2Config {
@Value('${oauth.authorize:http://localhost:8082/oauth/authorize}')
private String authorizeUrl
@Value('${oauth.token:http://localhost:8082/oauth/token}')
private String tokenUrl
@Autowired
private OAuth2ClientContext oauth2Context
@Bean
OAuth2ProtectedResourceDetails resource() {
ImplicitResourceDetails resource = new ImplicitResourceDetails()
resource.setAuthenticationScheme(AuthenticationScheme.header)
resource.setAccessTokenUri(authorizeUrl)
resource.setUserAuthorizationUri(authorizeUrl);
resource.setClientId("themostuntrustedclientid")
resource.setClientSecret("themostuntrustedclientsecret")
resource.setScope(['read_users', 'write_users'])
resource
}
@Bean
OAuth2RestTemplate restTemplate() {
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource(), oauth2Context)
//restTemplate.setAuthenticator(new ApiConnectOAuth2RequestAuthenticator())
restTemplate
}
@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.eraseCredentials(false)
.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER')
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.ignoringAntMatchers("/accessTokenExtractor")
.and()
.authorizeRequests()
.anyRequest().hasRole('USER')
.and()
.formLogin()
.loginPage("/login").permitAll()
}
}
問題出在Auth服務器的SecurityConfig中。 隱式客戶端自動發送帶有client_id和client_secret的基本授權標頭。 我的身份驗證服務器配置為使用表單登錄而不是基本身份驗證。 我更改了它,現在它可以按預期工作:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
//
//XXX Si se usa implicit descomentar
.ignoringAntMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.