Spring Boot 2 + OAuth2:配置令牌的授权码交换
Spring Boot 2 + OAuth2: Configure Exchange of Auth Code for Token
我已经按照 Spring Boot OAuth2 这个关于配置 OAuth2 客户端的教程进行操作。不幸的是,一旦 "user" 通过 Idp (Okta) 进行身份验证,就会发生带有 "code" 的重定向,这会导致重定向循环:/login -> /authorize... -> /login... -> /login
Firefox 检测到服务器正在以一种永远不会完成的方式重定向对此地址的请求。
有谁知道是什么问题或可能是什么问题以及如何解决?详情如下。
Okta 配置:
Login redirect URIs: http://localhost:8080/auth/login
Logout redirect URIs:
http://localhost:8080/auth/logout
Login initiated by: App only
Initiate login URI: http://localhost:8080/auth/login
配置属性为:
okta:
oauth2:
client:
client-id: clientId
client-secret: clientSecret
scope: openid profile email
client-authentication-scheme: form
access-token-uri: https://mydomain.oktapreview.com/oauth2/myapp/v1/token
user-authorization-uri: https://mydomain.oktapreview.com/oauth2/myapp/v1/authorize
resource:
user-info-uri: https://mydomain.oktapreview.com/oauth2/myapp/v1/userinfo
过滤器是:
private Filter filter() {
OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter(
"/login");
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(oktaClient(), oauth2ClientContext);
filter.setRestTemplate(restTemplate);
UserInfoTokenServices tokenServices = new UserInfoTokenServices(oktaResource().getUserInfoUri(),
oktaClient().getClientId());
tokenServices.setRestTemplate(restTemplate);
filter.setTokenServices(tokenServices);
return filter;
}
WebSecurityConfigurerAdapter 配置是:
@Configuration
@EnableOAuth2Client
public class WebSecConfig extends WebSecurityConfigurerAdapter {
....
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**", "/logout**", "/v2/api-docs", "/configuration/ui",
"/configuration/security", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**")
.permitAll()
.anyRequest().authenticated().and().exceptionHandling()
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().csrf()
.csrfTokenRepository(
CookieCsrfTokenRepository.withHttpOnlyFalse()).and().addFilterBefore(filter(),
BasicAuthenticationFilter.class);
}
....
}
更新:
解决方案是将 LoginUrlAuthenticationEntryPoint("/login")
更改为 LoginUrlAuthenticationEntryPoint("/")
并重新创建授权服务器。
您应该使用默认授权服务器,或者您创建的授权服务器。如果您使用默认值,它应该类似于:
https://mydomain.oktapreview.com/oauth2/default
我已经按照 Spring Boot OAuth2 这个关于配置 OAuth2 客户端的教程进行操作。不幸的是,一旦 "user" 通过 Idp (Okta) 进行身份验证,就会发生带有 "code" 的重定向,这会导致重定向循环:/login -> /authorize... -> /login... -> /login
Firefox 检测到服务器正在以一种永远不会完成的方式重定向对此地址的请求。
有谁知道是什么问题或可能是什么问题以及如何解决?详情如下。
Okta 配置:
Login redirect URIs: http://localhost:8080/auth/login
Logout redirect URIs: http://localhost:8080/auth/logout
Login initiated by: App only
Initiate login URI: http://localhost:8080/auth/login
配置属性为:
okta:
oauth2:
client:
client-id: clientId
client-secret: clientSecret
scope: openid profile email
client-authentication-scheme: form
access-token-uri: https://mydomain.oktapreview.com/oauth2/myapp/v1/token
user-authorization-uri: https://mydomain.oktapreview.com/oauth2/myapp/v1/authorize
resource:
user-info-uri: https://mydomain.oktapreview.com/oauth2/myapp/v1/userinfo
过滤器是:
private Filter filter() {
OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter(
"/login");
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(oktaClient(), oauth2ClientContext);
filter.setRestTemplate(restTemplate);
UserInfoTokenServices tokenServices = new UserInfoTokenServices(oktaResource().getUserInfoUri(),
oktaClient().getClientId());
tokenServices.setRestTemplate(restTemplate);
filter.setTokenServices(tokenServices);
return filter;
}
WebSecurityConfigurerAdapter 配置是:
@Configuration
@EnableOAuth2Client
public class WebSecConfig extends WebSecurityConfigurerAdapter {
....
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**", "/logout**", "/v2/api-docs", "/configuration/ui",
"/configuration/security", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**")
.permitAll()
.anyRequest().authenticated().and().exceptionHandling()
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().csrf()
.csrfTokenRepository(
CookieCsrfTokenRepository.withHttpOnlyFalse()).and().addFilterBefore(filter(),
BasicAuthenticationFilter.class);
}
....
}
更新:
解决方案是将 LoginUrlAuthenticationEntryPoint("/login")
更改为 LoginUrlAuthenticationEntryPoint("/")
并重新创建授权服务器。
您应该使用默认授权服务器,或者您创建的授权服务器。如果您使用默认值,它应该类似于:
https://mydomain.oktapreview.com/oauth2/default