我有以下信息: 授予类型:客户凭证 访问令牌URL:https://host/adfs/oauth2/token 客户编号:clientId 客户机密:clientSecret
我的目标是制造一个资源服务器,该资源服务器将在头中接收jwt或访问令牌。令牌通过验证后,我将返回要求的资源。
问题:我不确定如何使用spring react来验证令牌。
注意:服务器已启用开放ID。
我尝试过: https://docs.spring.io/spring-security/site/docs/5.1.0.BUILD-SNAPSHOT/reference/html/webclient.html
和 https://www.youtube.com/watch?v=1N-xwmoN83w&t=1338s
如果您点击
https://host/adfs/.well-known/openid-configuration
{
"issuer":"https:\/\/host\/adfs",
"authorization_endpoint":"https:\/\/host\/adfs\/oauth2\/authorize\/",
"token_endpoint":"https:\/\/host\/adfs\/oauth2\/token\/",
"jwks_uri":"https:\/\/host\/adfs\/discovery\/keys",
"token_endpoint_auth_methods_supported":[
"client_secret_post",
"client_secret_basic",
"private_key_jwt",
"windows_client_authentication"
],
"response_types_supported":[
"code",
"id_token",
"code id_token",
"id_token token",
"code token",
"code id_token token"
],
"response_modes_supported":[
"query",
"fragment",
"form_post"
],
"grant_types_supported":[
"authorization_code",
"refresh_token",
"client_credentials",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"implicit",
"password",
"srv_challenge",
"urn:ietf:params:oauth:grant-type:device_code",
"device_code"
],
"subject_types_supported":[
"pairwise"
],
"scopes_supported":[
"email",
"profile",
"winhello_cert",
"logon_cert",
"user_impersonation",
"aza",
"vpn_cert",
"openid",
"allatclaims"
],
"id_token_signing_alg_values_supported":[
"RS256"
],
"token_endpoint_auth_signing_alg_values_supported":[
"RS256"
],
"access_token_issuer":"http:\/\/host\/adfs\/services\/trust",
"claims_supported":[
"aud",
"iss",
"iat",
"exp",
"auth_time",
"nonce",
"at_hash",
"c_hash",
"sub",
"upn",
"unique_name",
"pwd_url",
"pwd_exp",
"mfa_auth_time",
"sid"
],
"microsoft_multi_refresh_token":true,
"userinfo_endpoint":"https:\/\/host\/adfs\/userinfo",
"capabilities":[
],
"end_session_endpoint":"https:\/\/host\/adfs\/oauth2\/logout",
"as_access_token_token_binding_supported":true,
"as_refresh_token_token_binding_supported":true,
"resource_access_token_token_binding_supported":true,
"op_id_token_token_binding_supported":true,
"rp_id_token_token_binding_supported":true,
"frontchannel_logout_supported":true,
"frontchannel_logout_session_supported":true,
"device_authorization_endpoint":"https:\/\/host\/adfs\/oauth2\/devicecode"
}
我有一个简单的控制器:
@RestController
public class Controller {
@GetMapping("/hello")
public String sayHello(){
return "hello";
}
}
及以下课程:
@ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class })
@ConditionalOnMissingBean(WebFilterChainProxy.class)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
@EnableWebFluxSecurity
public class WebSecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.authorizeExchange().anyExchange().authenticated().and().oauth2ResourceServer().jwt();
return http.build();
}
}
在应用程序属性中,我具有: spring.security.oauth2.resourceserver.jwt.issuer-uri:valid-uri
这是日志: 2019-11-05 16:00:55.638调试51492 --- [ctor-http-nio-3] o.s.w.s.adapter.HttpWebHandlerAdapter:[7598cb39] HTTP GET“ / hello” 2019-11-05 16:00:55.746调试51492 --- [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions:[628b27eb] HTTP GET https://host/adfs/discovery/keys 2019-11-05 16:00:55.823调试51492 --- [ctor-http-nio-4] o.s.w.r.f.client.ExchangeFunctions:[628b27eb]响应200 OK 2019-11-05 16:00:55.840调试51492 --- [ctor-http-nio-4] oscore.codec.StringDecoder:[628b27eb]解码为“ {” keys“:[{” kty“:” algo“ ,“ use”:“ sig”,“ alg”:“ HS234”,“ kid”:“ feafafa”,“ x5t”:“ fKeeYG0K(截短)... 2019-11-05 16:00:55.858调试51492 --- [ctor-http-nio-4] o.s.w.s.adapter.HttpWebHandlerAdapter:[7598cb39]已完成401未经授权