Spring 引导,authorization_code,IdentityServer4 code_verifier

Spring Boot, authorization_code, IdentityServer4 code_verifier

我在 spring 引导项目中集成了 IdentityServer4。

我想知道如何添加code_verifier来调用IdentityServer的“/connect/token”?

我在重定向网址中收到如下代码,

第一次重定向: https://idsrv4test.com/connect/authorize?response_type=code&client_id=client_id&scope=id_number%20openid%20email%20roles%20profile&state=SDGHMnvw0UJZyylFr752jBAWS2ahGIwBiavF0YsRtoI%3D&redirect_uri=https://127.0.0.1:9443/signin-oidc&code_challenge_method=S256&nonce=_8fJthx0jlqX_2tJKSkwvs_r4RfxIjU4NokGGpSZIF0&code_challenge=

第二次重定向 https://127.0.0.1:9443/signin-oidc?code=returned_code&scope=id_number%20openid%20email%20roles%20profile&state=9KxStmaCkre_-cCqofOSfRO0eWahh-3e19upwYH1rJ8%3D&session_state=Sm-Zq8GcrX43Rc1Ve5elO7ua90aIyXTkJB6lT4tQRhY.ImGYr6V2186LxSMZdLcngg

我在我的项目中构建了一个 resttemplate 以根据

调用“/connect/token”

POST /connect/token 内容类型 application/x-www-form-urlencoded

client_id=client_id&
client_secret=secret&
grant_type=authorization_code&
code=returned_code&
redirect_uri=https://127.0.0.1:9443/signin-oidc
code_verifier=<this_encrypted_text>

在我设置的requestBody中code_verifier= 但我得到“invalid_grant”。这意味着根据规范文档 https://datatracker.ietf.org/doc/html/rfc7636#page-10 code_verifier == code_challenge。是flase

供您参考 SecurityConfig class 就是这样

@EnableWebSecurity
public class ConfigSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {


        PortMapperImpl portMapper = new PortMapperImpl();
        portMapper.setPortMappings(Collections.singletonMap("9443","9443"));
        PortResolverImpl portResolver = new PortResolverImpl();
        portResolver.setPortMapper(portMapper);
        LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint(
                "/login");
        entryPoint.setPortMapper(portMapper);
        entryPoint.setPortResolver(portResolver);
        http.exceptionHandling()
                .authenticationEntryPoint(entryPoint)
                .and()
                .authorizeRequests()
                .antMatchers("/login","/css/*", "/images/*","/signin-oidc","/test")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .oauth2Login()
                .loginPage("/login")
                .and()
                .logout().logoutUrl("/logout")
                .logoutSuccessHandler(oidcLogoutSuccessHandler());


    }

    @Autowired
    private ClientRegistrationRepository clientRegistrationRepository;

    private LogoutSuccessHandler oidcLogoutSuccessHandler() {

        OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler =
                new OidcClientInitiatedLogoutSuccessHandler(
                        this.clientRegistrationRepository);

        oidcLogoutSuccessHandler.setPostLogoutRedirectUri(
                URI.create("http://localhost:9443"));

        return oidcLogoutSuccessHandler;
    }
}

而我的application.yml如下,

server:
  port: 9443
  ssl:
    key-store: classpath:asif1.jks
    key-store-password: xxxxx
    key-store-type: pkcs12
    key-store-alias: server
spring:
  security:
    oauth2:
      client:
        registration:
          idsrv4:
            client-name: client_name_test
            client-id: client_id_test
            client-secret: Marines
            client-authentication-method: none
            authorization-grant-type: authorization_code
            redirect-uri: "https://127.0.0.1:9443/signin-oidc"

            scope: "id_number,openid,email,roles,profile"


        provider:
          idsrv4:
            authorization-uri: https://idsrv4test.com/connect/authorize
            issuer-uri: https://idsrv4test.com
            token-uri: https://idsrv4test.com/connect/token
            user-info-uri: https://idsrv4test.com/connect/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://idsrv4test.com/.well-known/openid-configuration/jwks

有什么帮助吗?

我终于解决了这个问题。但仍然对方法论不满意。然而,它工作得很好。我对 OAuth2AuthorizationRequestResolver 的期望是,获取 jwt 令牌的请求是在内部创建的,我应该不知道生成为 code_challenge(以实现 PKCE)的随机字符串。

如果有人有一个通过提供所需的 confs 进行身份验证和获取令牌的工作示例,而无需我实施和覆盖 OAuth2AuthorizationRequestResolver,我仍然请求分享。 所以,我来了

要实现 OAuth2AuthorizationRequestResolver,请遵循 https://developer.okta.com/blog/2020/01/23/pkce-oauth2-spring-boot

然后在方法 addPkceParameters

     String codeVerifier = this.secureKeyGenerator.generateKey();
    attributes.put(PkceParameterNames.CODE_VERIFIER, codeVerifier);

codeVerifier 是我们需要与 /connect/token

请求一起发送的字符串

现在,如何在控制器中获取这个随机生成的字符串来发送请求完全取决于您。

我已经硬编码了 ;-) 暂时。但是我知道这并不能达到PKCE的目的。

此外,在您的 class 扩展 WebSecurityConfigurerAdapter 中,configure(HttpSecurity http) 方法必须包含“/oauth2/authorization”作为基础 url

像这样

http.exceptionHandling()
                .authenticationEntryPoint(entryPoint)
                .and()
                .authorizeRequests()
                .antMatchers("/login","/css/*", "/static/**", "/images/*","/test","/signin-oidc","/logoutSession")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .oauth2Login()
                .authorizationEndpoint()
                .authorizationRequestResolver(new CustomAuthorizationRequestResolver(
                        clientRegistrationRepository, "/oauth2/authorization"
                ))
                .and()
                .loginPage("/login").and().logout().logoutUrl("/logout")
                .logoutSuccessHandler(oidcLogoutSuccessHandler());