@EnableOAuth2Sso 不检查令牌是否过期
@EnableOAuth2Sso does not check if token has expired
我在我的资源服务和 ui 之前实现了一个网关作为 oauth2 客户端。一切都很好,除非我收到令牌过期
<oauth>
<error_description>bfc5a9f6-0537-4ab9-91c1-e756501b429d</error_description>
<error>invalid_token</error>
</oauth>
检查日志我发现 Gateway 认为用户已通过身份验证,因为会话已经存在
2017-06-21 09:17:34.311 DEBUG 32482 --- [nio-8080-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@a80f4caf: Principal: user; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: ROLE_ACTUATOR, ROLE_USER
2017-06-21 09:17:34.311 DEBUG 32482 --- [nio-8080-exec-6] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1aaae9c5, returned: 1
而我的资源服务或 UI 不
2017-06-21 09:17:34.532 WARN 32484 --- [nio-9001-exec-1] o.s.b.a.s.o.r.UserInfoTokenServices : Could not fetch user details: class org.springframework.security.oauth2.client.resource.UserRedirectRequiredException, A redirect is required to get the users approval
网关配置
@SpringBootApplication
@EnableDiscoveryClient
@EnableZuulProxy
public class GatewayApplication {
public static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
}
}
@Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest().authenticated();
}
}
security:
oauth2:
client:
accessTokenUri: http://localhost:9191/uaa/oauth/token
userAuthorizationUri: http://localhost:9191/uaa/oauth/authorize
clientId: acme
clientSecret: acmesecret
resource:
user-info-uri: http://localhost:9191/uaa/user
prefer-token-info: false
zuul:
ignored-services: '*'
routes:
authserver: /uaa/**
resource-service: /resource/**
ui:
path: /ui/**
strip-prefix: false
UI 配置或任何资源服务器
@SpringBootApplication
@EnableDiscoveryClient
@EnableResourceServer
public class UiApplication {
public static void main(String[] args) {
SpringApplication.run(UiApplication.class, args);
}
}
security:
oauth2:
resource:
user-info-uri: http://localhost:9191/uaa/user
server:
port: 9001
context-path: /${spring.application.name}
我期望并尝试做的是网关检查令牌是否有效以及是否将用户重定向到登录页面或使用刷新令牌更新令牌?
在 gitter 上与 @dave-syer 交谈后,他告诉我我们需要在网关内声明 OAuth2RestOperations,因为它不是在 spring-boot 中默认创建的,需要请求OAuth2TokenRelayFilter
中的刷新令牌
所以只需添加下面的内容就可以解决所有问题
@Bean
public OAuth2RestOperations oAuth2RestOperations(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(details, oauth2ClientContext);
return oAuth2RestTemplate;
}
我在我的资源服务和 ui 之前实现了一个网关作为 oauth2 客户端。一切都很好,除非我收到令牌过期
<oauth>
<error_description>bfc5a9f6-0537-4ab9-91c1-e756501b429d</error_description>
<error>invalid_token</error>
</oauth>
检查日志我发现 Gateway 认为用户已通过身份验证,因为会话已经存在
2017-06-21 09:17:34.311 DEBUG 32482 --- [nio-8080-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@a80f4caf: Principal: user; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: ROLE_ACTUATOR, ROLE_USER
2017-06-21 09:17:34.311 DEBUG 32482 --- [nio-8080-exec-6] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1aaae9c5, returned: 1
而我的资源服务或 UI 不
2017-06-21 09:17:34.532 WARN 32484 --- [nio-9001-exec-1] o.s.b.a.s.o.r.UserInfoTokenServices : Could not fetch user details: class org.springframework.security.oauth2.client.resource.UserRedirectRequiredException, A redirect is required to get the users approval
网关配置
@SpringBootApplication
@EnableDiscoveryClient
@EnableZuulProxy
public class GatewayApplication {
public static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
}
}
@Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest().authenticated();
}
}
security:
oauth2:
client:
accessTokenUri: http://localhost:9191/uaa/oauth/token
userAuthorizationUri: http://localhost:9191/uaa/oauth/authorize
clientId: acme
clientSecret: acmesecret
resource:
user-info-uri: http://localhost:9191/uaa/user
prefer-token-info: false
zuul:
ignored-services: '*'
routes:
authserver: /uaa/**
resource-service: /resource/**
ui:
path: /ui/**
strip-prefix: false
UI 配置或任何资源服务器
@SpringBootApplication
@EnableDiscoveryClient
@EnableResourceServer
public class UiApplication {
public static void main(String[] args) {
SpringApplication.run(UiApplication.class, args);
}
}
security:
oauth2:
resource:
user-info-uri: http://localhost:9191/uaa/user
server:
port: 9001
context-path: /${spring.application.name}
我期望并尝试做的是网关检查令牌是否有效以及是否将用户重定向到登录页面或使用刷新令牌更新令牌?
在 gitter 上与 @dave-syer 交谈后,他告诉我我们需要在网关内声明 OAuth2RestOperations,因为它不是在 spring-boot 中默认创建的,需要请求OAuth2TokenRelayFilter
所以只需添加下面的内容就可以解决所有问题
@Bean
public OAuth2RestOperations oAuth2RestOperations(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(details, oauth2ClientContext);
return oAuth2RestTemplate;
}