Spring 安全 OAuth2 资源服务器总是返回无效令牌
Spring Security OAuth2 Resource Server Always Returning Invalid Token
我正在尝试使用 Spring 库获取基本的内存中 OAuth2 服务器 运行。我一直在关注 sparklr example.
我目前已经配置了服务器并且几乎一切正常,但是我无法从资源服务器访问我的受限资源。
我的测试流程:
访问oauth授权URI以启动OAuth2流程:http://localhost:8080/server/oauth/authorize?response_type=code&client_id=client
重定向到登录页面:http://localhost:8080/server/login
处理批准并重定向到我配置的带有代码参数的重定向页面:http://localhost:8080/client?code=HMJO4K
使用客户端 ID 和机密以及授权类型和代码,使用基本身份验证构造 GET 请求:http://localhost:8080/server/oauth/token?grant_type=authorization_code&code=HMJO4K
收到 access_token 并在 return
中刷新令牌对象
{
access_token: "f853bcc5-7801-42d3-9cb8-303fc67b0453"
token_type: "bearer"
refresh_token:“57100377-dea9-4df0-adab-62e33f2a1b49”
expires_in: 299
范围:"read write"
}
尝试使用 access_token 访问受限资源:http://localhost:8080/server/me?access_token=f853bcc5-7801-42d3-9cb8-303fc67b0453
收到无效的令牌回复
{
错误:"invalid_token"
error_description: "Invalid access token: f853bcc5-7801-42d3-9cb8-303fc67b0453"
}
POST token uri 再次刷新 token: http://localhost:8080/server/oauth/token?grant_type=refresh_token&refresh_token=57100377-dea9-4df0-adab-62e33f2a1b49
接收新令牌
{
access_token: "ed104994-899c-4cd9-8860-43d5689a9420"
token_type: "bearer"
refresh_token:“57100377-dea9-4df0-adab-62e33f2a1b49”
expires_in: 300
范围:"read write"
}
我真的不确定我做错了什么,但似乎除了访问受限 uri 之外的所有内容都在工作。这是我的配置:
@Configuration
public class Oauth2ServerConfiguration {
private static final String SERVER_RESOURCE_ID = "oauth2-server";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(SERVER_RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and().requestMatchers()
.antMatchers("/me")
.and().authorizeRequests()
.antMatchers("/me").access("#oauth2.clientHasRole('ROLE_CLIENT')")
;
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthotizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.resourceIds(SERVER_RESOURCE_ID)
.secret("secret")
.authorizedGrantTypes("authorization_code", "refresh_token")
.authorities("ROLE_CLIENT")
.scopes("read","write")
.redirectUris("http://localhost:8080/client")
.accessTokenValiditySeconds(300)
.autoApprove(true)
;
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(tokenStore())
.userApprovalHandler(userApprovalHandler())
.authenticationManager(authenticationManager)
;
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm("oauth");
}
@Bean
public ApprovalStore approvalStore() throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore());
return store;
}
@Bean
public UserApprovalHandler userApprovalHandler() throws Exception {
TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
handler.setClientDetailsService(clientDetailsService);
handler.setTokenStore(tokenStore());
return handler;
}
}
}
我是不是遗漏了什么或者我的处理方式不正确?任何帮助将不胜感激。
您的第 6 步错误 - 不应在 URL 中发送访问令牌,因为这种方式很容易受到攻击。而不是 GET,使用 POST。
此外,我不明白您的第 1 步 - 为什么要调用 /oauth/authorize?当您尝试获取受保护的资源时,应该隐式完成。我的意思是,您的流程应该以:
Attempt to access a restricted resource using the access_token:
http://localhost:8080/server/me
然后协商将开始"behind the scenes":重定向到“/oauth/authorize”等
此外,在第 8 步中,请注意您不是在请求 "another access token",而是在请求 "refresh token"。好像您的访问令牌已过期。
注意:身份提供者和资源服务器应该共享tokenStore!阅读此处:Spring Security OAuth2 pure resource server
HTH
问题最终是资源服务器和授权服务器没有获得相同的令牌存储引用。不确定布线是如何工作不正常的,但是在配置 class 中使用固定对象就像一个魅力。最终,我将转向持久性支持的令牌存储,这可能不会有任何问题。
感谢@OhadR 的回答和帮助!
最终,我简化了配置,完成了相同的工作流程,并成功了
@Configuration
public class Oauth2ServerConfiguration {
private static final String SERVER_RESOURCE_ID = "oauth2-server";
private static InMemoryTokenStore tokenStore = new InMemoryTokenStore();
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(tokenStore).resourceId(SERVER_RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/me").and().authorizeRequests().antMatchers("/me").access("#oauth2.hasScope('read')");
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore).approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.authorizedGrantTypes("authorization_code","refresh_token")
.authorities("ROLE_CLIENT")
.scopes("read")
.resourceIds(SERVER_RESOURCE_ID)
.secret("secret")
;
}
}
}
任何偶然发现这个 post 的人,我建议更多地查看单元测试,而不是完整的 sparklr/tonr 示例,因为它有很多额外的配置,不一定是需要开始。
这对我有用:
@Configuration
public class Oauth2ServerConfiguration {
private static final String SERVER_RESOURCE_ID = "oauth2-server";
@Autowired
private TokenStore tokenStore;
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(tokenStore).resourceId(SERVER_RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// ... Not important at this stage
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore).approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//... Not important at this stage
}
}
}
我正在尝试使用 Spring 库获取基本的内存中 OAuth2 服务器 运行。我一直在关注 sparklr example.
我目前已经配置了服务器并且几乎一切正常,但是我无法从资源服务器访问我的受限资源。
我的测试流程:
访问oauth授权URI以启动OAuth2流程:http://localhost:8080/server/oauth/authorize?response_type=code&client_id=client
重定向到登录页面:http://localhost:8080/server/login
处理批准并重定向到我配置的带有代码参数的重定向页面:http://localhost:8080/client?code=HMJO4K
使用客户端 ID 和机密以及授权类型和代码,使用基本身份验证构造 GET 请求:http://localhost:8080/server/oauth/token?grant_type=authorization_code&code=HMJO4K
收到 access_token 并在 return
中刷新令牌对象{ access_token: "f853bcc5-7801-42d3-9cb8-303fc67b0453" token_type: "bearer" refresh_token:“57100377-dea9-4df0-adab-62e33f2a1b49” expires_in: 299 范围:"read write" }
尝试使用 access_token 访问受限资源:http://localhost:8080/server/me?access_token=f853bcc5-7801-42d3-9cb8-303fc67b0453
收到无效的令牌回复
{ 错误:"invalid_token" error_description: "Invalid access token: f853bcc5-7801-42d3-9cb8-303fc67b0453" }
POST token uri 再次刷新 token: http://localhost:8080/server/oauth/token?grant_type=refresh_token&refresh_token=57100377-dea9-4df0-adab-62e33f2a1b49
接收新令牌
{ access_token: "ed104994-899c-4cd9-8860-43d5689a9420" token_type: "bearer" refresh_token:“57100377-dea9-4df0-adab-62e33f2a1b49” expires_in: 300 范围:"read write" }
我真的不确定我做错了什么,但似乎除了访问受限 uri 之外的所有内容都在工作。这是我的配置:
@Configuration
public class Oauth2ServerConfiguration {
private static final String SERVER_RESOURCE_ID = "oauth2-server";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(SERVER_RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and().requestMatchers()
.antMatchers("/me")
.and().authorizeRequests()
.antMatchers("/me").access("#oauth2.clientHasRole('ROLE_CLIENT')")
;
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthotizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.resourceIds(SERVER_RESOURCE_ID)
.secret("secret")
.authorizedGrantTypes("authorization_code", "refresh_token")
.authorities("ROLE_CLIENT")
.scopes("read","write")
.redirectUris("http://localhost:8080/client")
.accessTokenValiditySeconds(300)
.autoApprove(true)
;
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(tokenStore())
.userApprovalHandler(userApprovalHandler())
.authenticationManager(authenticationManager)
;
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm("oauth");
}
@Bean
public ApprovalStore approvalStore() throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore());
return store;
}
@Bean
public UserApprovalHandler userApprovalHandler() throws Exception {
TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
handler.setClientDetailsService(clientDetailsService);
handler.setTokenStore(tokenStore());
return handler;
}
}
}
我是不是遗漏了什么或者我的处理方式不正确?任何帮助将不胜感激。
您的第 6 步错误 - 不应在 URL 中发送访问令牌,因为这种方式很容易受到攻击。而不是 GET,使用 POST。
此外,我不明白您的第 1 步 - 为什么要调用 /oauth/authorize?当您尝试获取受保护的资源时,应该隐式完成。我的意思是,您的流程应该以:
Attempt to access a restricted resource using the access_token: http://localhost:8080/server/me
然后协商将开始"behind the scenes":重定向到“/oauth/authorize”等
此外,在第 8 步中,请注意您不是在请求 "another access token",而是在请求 "refresh token"。好像您的访问令牌已过期。
注意:身份提供者和资源服务器应该共享tokenStore!阅读此处:Spring Security OAuth2 pure resource server
HTH
问题最终是资源服务器和授权服务器没有获得相同的令牌存储引用。不确定布线是如何工作不正常的,但是在配置 class 中使用固定对象就像一个魅力。最终,我将转向持久性支持的令牌存储,这可能不会有任何问题。
感谢@OhadR 的回答和帮助!
最终,我简化了配置,完成了相同的工作流程,并成功了
@Configuration
public class Oauth2ServerConfiguration {
private static final String SERVER_RESOURCE_ID = "oauth2-server";
private static InMemoryTokenStore tokenStore = new InMemoryTokenStore();
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(tokenStore).resourceId(SERVER_RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/me").and().authorizeRequests().antMatchers("/me").access("#oauth2.hasScope('read')");
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore).approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.authorizedGrantTypes("authorization_code","refresh_token")
.authorities("ROLE_CLIENT")
.scopes("read")
.resourceIds(SERVER_RESOURCE_ID)
.secret("secret")
;
}
}
}
任何偶然发现这个 post 的人,我建议更多地查看单元测试,而不是完整的 sparklr/tonr 示例,因为它有很多额外的配置,不一定是需要开始。
这对我有用:
@Configuration
public class Oauth2ServerConfiguration {
private static final String SERVER_RESOURCE_ID = "oauth2-server";
@Autowired
private TokenStore tokenStore;
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(tokenStore).resourceId(SERVER_RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// ... Not important at this stage
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore).approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//... Not important at this stage
}
}
}