Question

我尝试使用spring-boot使用授权代码授权流程来实现OAuth2客户端。但它不起作用。

已调用“http://external_server/oauth/authorize”，但未添加doorkeeper个参数。

有谁知道下面的配置有什么问题？

Auth提供程序由WebSecurityConfiguration实现，它已经在运行。所以@Configuration @EnableWebMvcSecurity @EnableOAuth2Client public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { private static final String AUTH_ENDPOINT = "http://external_server"; private static final String LOGIN_URL = AUTH_ENDPOINT + "/users/sign_in"; private static final String LOGOUT_URL = AUTH_ENDPOINT + "/sign_out"; private static final String AUTH_URL = AUTH_ENDPOINT + "/oauth/authorize"; private static final String ACCESS_TOKEN_URL = AUTH_ENDPOINT + "/oauth/token"; @Autowired OAuth2ClientContext oAuth2ClientContext; /** * for specific api */ @Bean public RestTemplate restTemplate() { return new RestTemplate(); } /** * for accessing protected resource */ @Bean public OAuth2RestTemplate oAuth2RestTemplate() { return new OAuth2RestTemplate(resource(), oAuth2ClientContext); } @Bean protected OAuth2ProtectedResourceDetails resource() { AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails(); resource.setClientId("_xxx_"); resource.setClientSecret("_yyy_"); resource.setUserAuthorizationUri(AUTH_URL); resource.setAccessTokenUri(ACCESS_TOKEN_URL); return resource; } @Override public void configure(WebSecurity web) throws Exception { web.debug(true).ignoring().antMatchers("/webjars/**", "/css/**"); } @Override protected void configure(HttpSecurity http) throws Exception { //@formatter:off http.csrf().disable().authorizeRequests() .antMatchers("/", "/callback") .permitAll() .anyRequest() .authenticated(); http.formLogin() .loginPage(AUTH_URL) .loginProcessingUrl(LOGIN_URL); http.httpBasic() .disable(); //@formatter:on } }中的网址常量是正确的。

{{1}}

Answer 1

默认情况下，仅启用POST方法。您可能需要在AuthorizationConfig上包含GET方法。

.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);

将是这样的：

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    ....
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints){
        endpoints.authenticationManager(authenticationManager)
                .allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
    }
}

关于Spring Oauth的源代码，我们有：

private Set<HttpMethod> allowedTokenEndpointRequestMethods() {
        // HTTP POST should be the only allowed endpoint request method by default.
        if (allowedTokenEndpointRequestMethods.isEmpty()) {
            allowedTokenEndpointRequestMethods.add(HttpMethod.POST);
        }
        return allowedTokenEndpointRequestMethods;
    }

spring-boot OAuth2客户端配置

1 个答案: