访问令牌响应:tokenType 不能为空

Access Token Response: tokenType cannot be null

我正在升级我的服务并使用 oAuth2 实现 webclient,我遇到异常是"tokenType cannot be null"你能帮我解决这个问题吗?

异常: org.springframework.security.oauth2.core.OAuth2AuthorizationException: [invalid_token_response] 尝试检索 OAuth 2.0 访问令牌响应时出错:提取类型 [class [=16 的响应时出错=].oauth2.core.endpoint.OAuth2AccessTokenResponse] 和内容类型 [application/json];嵌套异常是 org.springframework.http.converter.HttpMessageNotReadableException:读取 OAuth 2.0 访问令牌响应时发生错误:tokenType 不能为空;嵌套异常是 java.lang.IllegalArgumentException:tokenType 不能为 null

最终解决了问题,客户端缺少令牌 json 响应中的一个字段,即 tokenType。实际上 tokenType 也应该包含在 token 响应中,在我的例子中 tokenType 是 bearer.

{ "access_token": "************", "token_type": "Bearer", "expires_in": 1800, "scope": "read" }

请看https://github.com/spring-projects/spring-security/issues/5983#issuecomment-430620308

这是众所周知的问题,因为规范要求令牌类型(在我们的例子中是 BEARER)在访问令牌访问 uri 时出现在对客户端的响应中,Spring 安全性 oauth 不影响在不存在此参数标记类型的情况下的默认设置,您可以在上面的 link 中解决。

OAuth 规范指出: https://www.rfc-editor.org/rfc/rfc6749#section-5.1

5.1. Successful Response

The authorization server issues an access token and optional refresh token, and constructs the response by adding the following parameters to the entity-body of the HTTP response with a 200 (OK) status code:

access_token REQUIRED. The access token issued by the authorization server.

token_type REQUIRED. The type of the token issued as described in Section 7.1. Value is case insensitive.

expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.