Spring OAuth2 隐式流程 - 验证服务器未处理 POST /oauth/authorize 请求
Spring OAuth2 Implicit Flow - Auth server not processing the POST /oauth/authorize request
我有一个授权服务器(http://localhost:8082), resource server and implicit client (http://localhost:8080) project. The problem is that when the client asks for the authorization (token), the auth server shows the login screen but after the successful login it redirects to GET http://localhost:8082/ instead of to http://localhost:8082/authorize?client_id=...(根据客户要求)
我正在查看此日志:
隐式客户端:
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Retrieving token from http://localhost:8082/oauth/authorize
o.s.web.client.RestTemplate : Created POST request for "http://localhost:8082/oauth/authorize"
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Encoding and sending form: {response_type=[token], client_id=[themostuntrustedclientid], scope=[read_users write_users], redirect_uri=[http://localhost:8080/api/accessTokenExtractor]}
o.s.web.client.RestTemplate : POST request for "http://localhost:8082/oauth/authorize" resulted in 302 (null)
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor'
授权服务器:
o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/authorize' doesn't match 'GET /**
o.s.s.w.util.matcher.AndRequestMatcher : Did not match
o.s.s.w.s.HttpSessionRequestCache : Request not saved as configured RequestMatcher did not match
o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8082/login'
隐式客户端正在 POSTing /oauth/authorize,而不是获取它,并且 authserver 不存储 POST 请求。身份验证服务器 returns 重定向 302,隐式客户端将浏览器重定向到此 url:http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor
成功登录后,身份验证服务器没有目标 url,因此它显示 http://localhost:8082/,因此它不处理任何 /oauth/authorize 请求...问题出在哪里?
授权服务器配置:
@Configuration
class OAuth2Config extends AuthorizationServerConfigurerAdapter{
@Autowired
private AuthenticationManager authenticationManager
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("themostuntrustedclientid")
.secret("themostuntrustedclientsecret")
.authorizedGrantTypes("implicit")
.authorities("ROLE_USER")
.scopes("read_users", "write_users")
.accessTokenValiditySeconds(60)
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(this.authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
//security.checkTokenAccess('hasRole("ROLE_RESOURCE_PROVIDER")')
security.checkTokenAccess('isAuthenticated()')
}
}
@Configuration
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER').and()
.withUser("themostuntrustedclientid").password("themostuntrustedclientsecret").roles('USER')
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
//
//XXX Si se usa implicit descomentar
.ignoringAntMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
//.httpBasic()
.formLogin()
.loginPage("/login").permitAll()
}
}
隐式客户端配置:
@Configuration
class OAuth2Config {
@Value('${oauth.authorize:http://localhost:8082/oauth/authorize}')
private String authorizeUrl
@Value('${oauth.token:http://localhost:8082/oauth/token}')
private String tokenUrl
@Autowired
private OAuth2ClientContext oauth2Context
@Bean
OAuth2ProtectedResourceDetails resource() {
ImplicitResourceDetails resource = new ImplicitResourceDetails()
resource.setAuthenticationScheme(AuthenticationScheme.header)
resource.setAccessTokenUri(authorizeUrl)
resource.setUserAuthorizationUri(authorizeUrl);
resource.setClientId("themostuntrustedclientid")
resource.setClientSecret("themostuntrustedclientsecret")
resource.setScope(['read_users', 'write_users'])
resource
}
@Bean
OAuth2RestTemplate restTemplate() {
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource(), oauth2Context)
//restTemplate.setAuthenticator(new ApiConnectOAuth2RequestAuthenticator())
restTemplate
}
@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.eraseCredentials(false)
.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER')
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.ignoringAntMatchers("/accessTokenExtractor")
.and()
.authorizeRequests()
.anyRequest().hasRole('USER')
.and()
.formLogin()
.loginPage("/login").permitAll()
}
}
问题出在Auth服务器的SecurityConfig中。隐式客户端自动发送带有 client_id 和 client_secret 的基本授权 header。我的 Auth 服务器被配置为使用表单登录而不是基本身份验证。我更改了它,现在它按预期工作了:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
//
//XXX Si se usa implicit descomentar
.ignoringAntMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
我有一个授权服务器(http://localhost:8082), resource server and implicit client (http://localhost:8080) project. The problem is that when the client asks for the authorization (token), the auth server shows the login screen but after the successful login it redirects to GET http://localhost:8082/ instead of to http://localhost:8082/authorize?client_id=...(根据客户要求)
我正在查看此日志:
隐式客户端:
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Retrieving token from http://localhost:8082/oauth/authorize
o.s.web.client.RestTemplate : Created POST request for "http://localhost:8082/oauth/authorize"
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Encoding and sending form: {response_type=[token], client_id=[themostuntrustedclientid], scope=[read_users write_users], redirect_uri=[http://localhost:8080/api/accessTokenExtractor]}
o.s.web.client.RestTemplate : POST request for "http://localhost:8082/oauth/authorize" resulted in 302 (null)
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor'
授权服务器:
o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/authorize' doesn't match 'GET /**
o.s.s.w.util.matcher.AndRequestMatcher : Did not match
o.s.s.w.s.HttpSessionRequestCache : Request not saved as configured RequestMatcher did not match
o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8082/login'
隐式客户端正在 POSTing /oauth/authorize,而不是获取它,并且 authserver 不存储 POST 请求。身份验证服务器 returns 重定向 302,隐式客户端将浏览器重定向到此 url:http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor
成功登录后,身份验证服务器没有目标 url,因此它显示 http://localhost:8082/,因此它不处理任何 /oauth/authorize 请求...问题出在哪里?
授权服务器配置:
@Configuration
class OAuth2Config extends AuthorizationServerConfigurerAdapter{
@Autowired
private AuthenticationManager authenticationManager
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("themostuntrustedclientid")
.secret("themostuntrustedclientsecret")
.authorizedGrantTypes("implicit")
.authorities("ROLE_USER")
.scopes("read_users", "write_users")
.accessTokenValiditySeconds(60)
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(this.authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
//security.checkTokenAccess('hasRole("ROLE_RESOURCE_PROVIDER")')
security.checkTokenAccess('isAuthenticated()')
}
}
@Configuration
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER').and()
.withUser("themostuntrustedclientid").password("themostuntrustedclientsecret").roles('USER')
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
//
//XXX Si se usa implicit descomentar
.ignoringAntMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
//.httpBasic()
.formLogin()
.loginPage("/login").permitAll()
}
}
隐式客户端配置:
@Configuration
class OAuth2Config {
@Value('${oauth.authorize:http://localhost:8082/oauth/authorize}')
private String authorizeUrl
@Value('${oauth.token:http://localhost:8082/oauth/token}')
private String tokenUrl
@Autowired
private OAuth2ClientContext oauth2Context
@Bean
OAuth2ProtectedResourceDetails resource() {
ImplicitResourceDetails resource = new ImplicitResourceDetails()
resource.setAuthenticationScheme(AuthenticationScheme.header)
resource.setAccessTokenUri(authorizeUrl)
resource.setUserAuthorizationUri(authorizeUrl);
resource.setClientId("themostuntrustedclientid")
resource.setClientSecret("themostuntrustedclientsecret")
resource.setScope(['read_users', 'write_users'])
resource
}
@Bean
OAuth2RestTemplate restTemplate() {
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource(), oauth2Context)
//restTemplate.setAuthenticator(new ApiConnectOAuth2RequestAuthenticator())
restTemplate
}
@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.eraseCredentials(false)
.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER')
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.ignoringAntMatchers("/accessTokenExtractor")
.and()
.authorizeRequests()
.anyRequest().hasRole('USER')
.and()
.formLogin()
.loginPage("/login").permitAll()
}
}
问题出在Auth服务器的SecurityConfig中。隐式客户端自动发送带有 client_id 和 client_secret 的基本授权 header。我的 Auth 服务器被配置为使用表单登录而不是基本身份验证。我更改了它,现在它按预期工作了:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
//
//XXX Si se usa implicit descomentar
.ignoringAntMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()