Spring OAuth2隱式流程-Auth服務器未處理POST / oauth / authorize請求

Question

我有一個授權服務器（ http：// localhost：8082 ），資源服務器和隱式客戶端（ http：// localhost：8080 ）項目。 問題在於，當客戶端請求授權（令牌）時，身份驗證服務器會顯示登錄屏幕，但成功登錄后，它將重定向到GET http：// localhost：8082 /而不是http：// localhost：8082 / authorize？client_id = ...（應客戶要求）

我看到此日志：

隱式客戶端：

.s.o.c.t.g.i.ImplicitAccessTokenProvider : Retrieving token from http://localhost:8082/oauth/authorize
o.s.web.client.RestTemplate              : Created POST request for "http://localhost:8082/oauth/authorize"
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Encoding and sending form: {response_type=[token], client_id=[themostuntrustedclientid], scope=[read_users write_users], redirect_uri=[http://localhost:8080/api/accessTokenExtractor]}
o.s.web.client.RestTemplate              : POST request for "http://localhost:8082/oauth/authorize" resulted in 302 (null)
o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor'

驗證服務器：

o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /oauth/authorize' doesn't match 'GET /**
o.s.s.w.util.matcher.AndRequestMatcher   : Did not match
o.s.s.w.s.HttpSessionRequestCache        : Request not saved as configured RequestMatcher did not match
o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://localhost:8082/login'

隱式客戶端正在為/ oauth / authorize進行發布，而不是獲取它，並且authserver不存儲POST請求。 身份驗證服務器返回重定向302，隱式客戶端將瀏覽器重定向到該URL： http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor

成功登錄后，身份驗證服務器沒有目標URL，因此它顯示http：// localhost：8082 /，因此它不處理任何/ oauth / authorize請求...問題出在哪里？

認證服務器配置：

@Configuration
class OAuth2Config extends AuthorizationServerConfigurerAdapter{

    @Autowired
    private AuthenticationManager authenticationManager

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("themostuntrustedclientid")
            .secret("themostuntrustedclientsecret")
            .authorizedGrantTypes("implicit")
            .authorities("ROLE_USER")
            .scopes("read_users", "write_users")
            .accessTokenValiditySeconds(60)     
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(this.authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        //security.checkTokenAccess('hasRole("ROLE_RESOURCE_PROVIDER")')
        security.checkTokenAccess('isAuthenticated()')
    }

}

@Configuration
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER').and()
                                     .withUser("themostuntrustedclientid").password("themostuntrustedclientsecret").roles('USER')
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf()
            //
            //XXX Si se usa implicit descomentar
            .ignoringAntMatchers("/oauth/authorize")
            .and()
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        //.httpBasic()
        .formLogin()
            .loginPage("/login").permitAll()
    }

}

隱式客戶端配置：

@Configuration
class OAuth2Config {

    @Value('${oauth.authorize:http://localhost:8082/oauth/authorize}')
    private String authorizeUrl

    @Value('${oauth.token:http://localhost:8082/oauth/token}')
    private String tokenUrl

    @Autowired
    private OAuth2ClientContext oauth2Context

    @Bean
    OAuth2ProtectedResourceDetails resource() {
        ImplicitResourceDetails resource = new ImplicitResourceDetails()
        resource.setAuthenticationScheme(AuthenticationScheme.header)
        resource.setAccessTokenUri(authorizeUrl)
        resource.setUserAuthorizationUri(authorizeUrl);
        resource.setClientId("themostuntrustedclientid")
        resource.setClientSecret("themostuntrustedclientsecret")
        resource.setScope(['read_users', 'write_users'])
        resource
    }

    @Bean
    OAuth2RestTemplate restTemplate() {
        OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource(), oauth2Context)
        //restTemplate.setAuthenticator(new ApiConnectOAuth2RequestAuthenticator())
        restTemplate
    }

@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.eraseCredentials(false)
            .inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER')
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf()
            .ignoringAntMatchers("/accessTokenExtractor")
        .and()
        .authorizeRequests()
        .anyRequest().hasRole('USER')
        .and()
        .formLogin()
            .loginPage("/login").permitAll()
    }

}

Answer 1

問題出在Auth服務器的SecurityConfig中。 隱式客戶端自動發送帶有client_id和client_secret的基本授權標頭。 我的身份驗證服務器配置為使用表單登錄而不是基本身份驗證。 我更改了它，現在它可以按預期工作：

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf()
        //
        //XXX Si se usa implicit descomentar
        .ignoringAntMatchers("/oauth/authorize")
        .and()
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .httpBasic()