OAuth2 JWT 令牌 CAS Apereo 版本 6.1.7 中的密码 "clientSecret" 参数
Cipher "clientSecret" params in OAuth2 JWT Token CAS Apereo version 6.1.7
我按照此说明使用 CAS Apereo 6.1 对 OAuth2 JWT 令牌中的“clientSecret”参数进行加密
https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/
第一步:使用CASShell加密clientSecret
root@ubuntu16:~/lam/cas-overlay-template# ./gradlew downloadShell runShell
root@ubuntu16:~/lam/cas-overlay-template# java -jar build/libs/cas-server-support-shell-6.1.7.jar
cas>encrypt-value value exampleOauthClientSecret alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000
==== Encrypted Value ====
{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==
cas>decrypt-value value {cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg== alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000
==== Decrypted Value ====
exampleOauthClientSecret
第二步:我这样注册服务
root@ubuntu16:/etc/cas/services-repo# cat OAuthJWTService-3.json
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "exampleOauthClient",
#"clientSecret": "exampleOauthClientSecret",
"clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==",
"serviceId" : "^https://cascore.vdc2.com.vn:9999/.*",
"name" : "OAuthJWTService",
"id" : 3,
"jwtAccessToken": true,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["comdepartment","comid","lastname","usercode","userdate","useremail","userparentid","userstatus","usertel","usertype" ] ]
},
"properties" : {
"@class" : "java.util.HashMap",
"accessTokenAsJwtSigningKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "CoSfJ2WweU-cWcUYSjW2PWLVLd9hIVG0xxjFFUHSUbCjkkNiwPli_WlqF9V2MHJH3SGH_4DifSYxlgs98h4snA" ] ]
},
"accessTokenAsJwtEncryptionKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "_3gpqpSiIEjHT0xlscGvgDr0-iPIeeEeyecfFgbg_5E" ] ]
},
"accessTokenAsJwtSigningEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtEncryptionEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtCipherStrategyType" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "SIGN_AND_ENCRYPT" ] ]
}
}
}
第 3 步:我像这样配置 CAS Apereo 全局(我的全局配置存储在 MongoDB)
{"_id":{"$oid":"5f058f62ee9a446824d4adf3"},"name":"org.apereo.cas.standalone.configurationSecurity.alg","value":"PBEWithMD5AndTripleDES"}
{"_id":{"$oid":"5f058f79ee9a446824d4adf4"},"name":"org.apereo.cas.standalone.configurationSecurity.provider","value":"SunJCE"}
{"_id":{"$oid":"5f058f8aee9a446824d4adf5"},"name":"org.apereo.cas.standalone.configurationSecurity.iterations","value":"1000"}
{"_id":{"$oid":"5f058f9dee9a446824d4adf6"},"name":"org.apereo.cas.standalone.configurationSecurity.psw","value":"Vnpt@123"}
第 4 步:我重建 CAS
第 5 步:我调用 API 来创建这样的 JWT 令牌
curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret=exampleOauthClientSecret'&'username=abc'&'password=Vnpt@123 | jq
但它显示了这个问题
{
"@class": "java.util.LinkedHashMap",
"timestamp": [
"java.util.Date",
1594370510760
],
"status": 401,
"error": "Unauthorized",
"message": "No message available",
"path": "/cas/oauth2.0/token"
}
我再试试这个
curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret={cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg=='&'username=abc'&'password=Vnpt@123 | jq
但它再次显示此错误
{
"@class": "java.util.LinkedHashMap",
"timestamp": [
"java.util.Date",
1594370510760
],
"status": 401,
"error": "Unauthorized",
"message": "No message available",
"path": "/cas/oauth2.0/token"
}
最后,我尝试将注册文件中的参数从"clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg=="更改为纯文本,更改为"clientSecret": "exampleOauthClientSecret",
它有效并给了我 JWT 令牌。
请帮助我。
谢谢
I follow this instruction to cipher "clientSecret" params in OAuth2 JWT Token with CAS Apereo 6.1
如果您在 link 仔细阅读了您分享的博客 post,您会注意到:
Our starting position is based on:
- CAS 6.2.x
这可能就是说明对您不起作用的原因。
我按照此说明使用 CAS Apereo 6.1 对 OAuth2 JWT 令牌中的“clientSecret”参数进行加密 https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/
第一步:使用CASShell加密clientSecret
root@ubuntu16:~/lam/cas-overlay-template# ./gradlew downloadShell runShell
root@ubuntu16:~/lam/cas-overlay-template# java -jar build/libs/cas-server-support-shell-6.1.7.jar
cas>encrypt-value value exampleOauthClientSecret alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000
==== Encrypted Value ====
{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==
cas>decrypt-value value {cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg== alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000
==== Decrypted Value ====
exampleOauthClientSecret
第二步:我这样注册服务
root@ubuntu16:/etc/cas/services-repo# cat OAuthJWTService-3.json
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "exampleOauthClient",
#"clientSecret": "exampleOauthClientSecret",
"clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==",
"serviceId" : "^https://cascore.vdc2.com.vn:9999/.*",
"name" : "OAuthJWTService",
"id" : 3,
"jwtAccessToken": true,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["comdepartment","comid","lastname","usercode","userdate","useremail","userparentid","userstatus","usertel","usertype" ] ]
},
"properties" : {
"@class" : "java.util.HashMap",
"accessTokenAsJwtSigningKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "CoSfJ2WweU-cWcUYSjW2PWLVLd9hIVG0xxjFFUHSUbCjkkNiwPli_WlqF9V2MHJH3SGH_4DifSYxlgs98h4snA" ] ]
},
"accessTokenAsJwtEncryptionKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "_3gpqpSiIEjHT0xlscGvgDr0-iPIeeEeyecfFgbg_5E" ] ]
},
"accessTokenAsJwtSigningEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtEncryptionEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtCipherStrategyType" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "SIGN_AND_ENCRYPT" ] ]
}
}
}
第 3 步:我像这样配置 CAS Apereo 全局(我的全局配置存储在 MongoDB)
{"_id":{"$oid":"5f058f62ee9a446824d4adf3"},"name":"org.apereo.cas.standalone.configurationSecurity.alg","value":"PBEWithMD5AndTripleDES"}
{"_id":{"$oid":"5f058f79ee9a446824d4adf4"},"name":"org.apereo.cas.standalone.configurationSecurity.provider","value":"SunJCE"}
{"_id":{"$oid":"5f058f8aee9a446824d4adf5"},"name":"org.apereo.cas.standalone.configurationSecurity.iterations","value":"1000"}
{"_id":{"$oid":"5f058f9dee9a446824d4adf6"},"name":"org.apereo.cas.standalone.configurationSecurity.psw","value":"Vnpt@123"}
第 4 步:我重建 CAS 第 5 步:我调用 API 来创建这样的 JWT 令牌
curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret=exampleOauthClientSecret'&'username=abc'&'password=Vnpt@123 | jq
但它显示了这个问题
{
"@class": "java.util.LinkedHashMap",
"timestamp": [
"java.util.Date",
1594370510760
],
"status": 401,
"error": "Unauthorized",
"message": "No message available",
"path": "/cas/oauth2.0/token"
}
我再试试这个
curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret={cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg=='&'username=abc'&'password=Vnpt@123 | jq
但它再次显示此错误
{
"@class": "java.util.LinkedHashMap",
"timestamp": [
"java.util.Date",
1594370510760
],
"status": 401,
"error": "Unauthorized",
"message": "No message available",
"path": "/cas/oauth2.0/token"
}
最后,我尝试将注册文件中的参数从"clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg=="更改为纯文本,更改为"clientSecret": "exampleOauthClientSecret",
它有效并给了我 JWT 令牌。
请帮助我。
谢谢
I follow this instruction to cipher "clientSecret" params in OAuth2 JWT Token with CAS Apereo 6.1
如果您在 link 仔细阅读了您分享的博客 post,您会注意到:
Our starting position is based on:
- CAS 6.2.x
这可能就是说明对您不起作用的原因。