MFP 8.0中的授权承载过多

时间:2016-11-28 13:02:16

标签: ibm-mobilefirst

我已按照https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/protecting-external-resources/中提供的步骤保护外部资源,并https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/application-development/resource-request/javascript/通过Cordova致电。

我向同一个REST方法发出2个请求,该方法受范围" aovLogin"保护。

似乎每次通话都会产生一个新的持票令牌,需要额外拨打4个电话给MFP。

此外,第一次调用方法时,它会进行多次额外调用(它始终是http 401,然后是403然后是200,在中间对MFP进行额外调用)。如果我有一个非常精细的API,它会进行大量的额外调用。

我已经看到服务器API有承载缓存,并且范围配置为有效10分钟。

为什么客户端发送了这么多授权请求?

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1

HTTP/1.1 401 Unauthorized

----------

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1
{"scope":"","client_id":"3deccec7-3f18-4ee2-8464-de90a7c64685"}

HTTP/1.1 400 Bad Request
{"errorCode":"INVALID_CLIENT_ID","errorMsg":"Invalid client ID."}

------

POST /mfp/api/registration/v1/self HTTP/1.1
{"signedRegistrationData":{"header":"XXXXX","payload":"XXXXX","signature":"XXXXX"}}

HTTP/1.1 201 Created

-----

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1
{"scope":"","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"}

HTTP/1.1 200 OK
{"successes":{"clockSynchronization":{"serverTimeStamp":1480322130967}}}

--------

GET /mfp/api/az/v1/authorization?response_type=code&scope=&client_id=84c45e4a-b75d-4125-ab9a-98f390d5bd3a&redirect_uri=http://mfpredirecturi&isAjaxRequest=true&x=0.1757133661526875 HTTP/1.1

HTTP/1.1 302 Found

------

POST /mfp/api/az/v1/token HTTP/1.1
XXXXX

HTTP/1.1 200 OK
{"access_token":"XXXXX","token_type":"Bearer","expires_in":3599,"scope":""}

---

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1
Authorization: Bearer XXXXX
{"idDelegation":"0801"}

HTTP/1.1 403 Forbidden

---

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1
{"scope":"aovLogin","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"}

HTTP/1.1 401 Unauthorized
{"successes":{"clockSynchronization":{"serverTimeStamp":1480322131320}},"challenges":{"aovLogin":{"remainingAttempts":5,"errorMsg":null}}}

---

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1
{"challengeResponse":{"aovLogin":{"username":"XXXXX","tokenSEA":"XXXXX"}},"scope":"aovLogin","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"}

HTTP/1.1 200 OK
{"successes":{"aovLogin":{"user":{"id":"XXXXX","displayName":"XXXXX","authenticatedAt":1480322139874,"authenticatedBy":"aovLogin","attributes":{"tokenSEA":"XXXXX"}}},"clockSynchronization":{"serverTimeStamp":1480322139874}}}


--------

GET /mfp/api/az/v1/authorization?response_type=code&scope=aovLogin&client_id=84c45e4a-b75d-4125-ab9a-98f390d5bd3a&redirect_uri=http://mfpredirecturi&isAjaxRequest=true&x=0.5223292209780417 HTTP/1.1

HTTP/1.1 302 Found

---

POST /mfp/api/az/v1/token HTTP/1.1
XXXXX

HTTP/1.1 200 OK


{"access_token":"XXXXX","token_type":"Bearer","expires_in":599,"scope":"aovLogin"}


---

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsImtpZCI6Ijg0YzQ1ZTRhLWI3NWQtNDEyNS1hYjlhLTk4ZjM5MGQ1YmQzYSIsIm4iOiJBTTBEZDd4QWR2NkgteWdMN3I4cUNMZEUtM0kya2s0NXpnWnREZF9xczhmdm5ZZmRpcVRTVjRfMnQ2T0dHOENWNUNlNDFQTXBJd21MNDEwWDlJWm52aHhvWWlGY01TYU9lSXFvZS1ySkEwdVp1dzJySGhYWjNXVkNlS2V6UlZjQ09Zc1FOLW1RSzBtZno1XzNvLWV2MFVZd1hrU093QkJsMUVocUl3VkR3T2llZzJKTUdsMEVYc1BaZmtOWkktSFU0b01paS1Uck5MelJXa01tTHZtMDloTDV6b3NVTkExNXZlQ0twaDJXcG1TbTJTNjFuRGhIN2dMRW95bURuVEVqUFk1QW9oMmluSS0zNlJHWVZNVVViTzQ2Q3JOVVl1SW9iT2lYbEx6QklodUlDcGZWZHhUX3g3c3RLWDVDOUJmTVRCNEdrT0hQNWNVdjdOejFkRGhJUHU4PSJ9fQ.eyJpc3MiOiJjb20uaWJtLm1mcCIsInN1YiI6Ijg0YzQ1ZTRhLWI3NWQtNDEyNS1hYjlhLTk4ZjM5MGQ1YmQzYSIsImF1ZCI6ImNvbS5pYm0ubWZwIiwiZXhwIjoxNDgwMzIyNzM5ODc0LCJzY29wZSI6ImFvdkxvZ2luIn0.jGJAhZaV6NFHZKj-LKBmJ6Gqb7ZrZX20xDKEPkNtORZ1tanLo8MSklY2HogK-wKs7APIuWESLSsskrwR9p0EnrmHgUYZf3BPY9HDUSBojUN9-vd_I9kavcg34Hes1KTvYG4Wi-9XbZQ2T1-SbHhn-mqsToeLIGBGkzsugwQG9tIKG3Qr0BixDIfuhxux4Gdo30HCyn9SB5ZaY5wdxaD2_kJjnJih_SsAuuXRNAXEO_PgExnZ6Mr1qyqyOfwc3k9jmgRpuEQigYYRYOP-Tvs_i59IVYOdpsQ70gi-Ky09orx5Jy3hVJv-J45Dx7FHdR3ZPTn7pYW7IRmRo4CZ2COoCg

HTTP/1.1 200 OK
.....

--- CALL AGAIN, new bearer is generated

POST /mfp/api/az/v1/introspection HTTP/1.1

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1

GET /mfp/api/az/v1/authorization?XXX HTTP/1.1

POST /mfp/api/az/v1/token HTTP/1.1


POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsImtpZCI6IjM1NDcyYWNhLWVlNmItNGNhZi04OGQ2LWQxY2ExNjQ0NzM4NyIsIm4iOiJBTTBEZDd4QWR2NkgteWdMN3I4cUNMZEUtM0kya2s0NXpnWnREZF9xczhmdm5ZZmRpcVRTVjRfMnQ2T0dHOENWNUNlNDFQTXBJd21MNDEwWDlJWm52aHhvWWlGY01TYU9lSXFvZS1ySkEwdVp1dzJySGhYWjNXVkNlS2V6UlZjQ09Zc1FOLW1RSzBtZno1XzNvLWV2MFVZd1hrU093QkJsMUVocUl3VkR3T2llZzJKTUdsMEVYc1BaZmtOWkktSFU0b01paS1Uck5MelJXa01tTHZtMDloTDV6b3NVTkExNXZlQ0twaDJXcG1TbTJTNjFuRGhIN2dMRW95bURuVEVqUFk1QW9oMmluSS0zNlJHWVZNVVViTzQ2Q3JOVVl1SW9iT2lYbEx6QklodUlDcGZWZHhUX3g3c3RLWDVDOUJmTVRCNEdrT0hQNWNVdjdOejFkRGhJUHU4PSJ9fQ.eyJpc3MiOiJjb20uaWJtLm1mcCIsInN1YiI6IjM1NDcyYWNhLWVlNmItNGNhZi04OGQ2LWQxY2ExNjQ0NzM4NyIsImF1ZCI6ImNvbS5pYm0ubWZwIiwiZXhwIjoxNDgwMzM5OTU0NjE2LCJzY29wZSI6ImFvdkxvZ2luIn0.JSm3nrW6BD5i66GossHYM4-6GqQfC-ZSH5P-X4M9mws2jBNvCkFKgv_XbRAb3km-0NMZz3FHsrY_0h0dx7fpJYiR9CIjaY-PFw75zdKbyEpzbhAX7OjZtYOtZblKEYLkT8mH-0mLc6VE_YBPFd2q55HMmECCLirAAdWwzMGgEzL02OKTd1GVuJyjqjlxeOJypFglaHezuByd6eGVMFJvnfDX3h_o6k8sWcv-g7UFa8jtcMNZpbzFOYG9Q2nGQ-oYIt17QyF4CVKPMN4anMwRRQ_2cjuvg-1ZuU450hxBX3u09wBxJ21mQklgg72t7fdLKgT7EIPmQlPP3wrX9qzy7A

HTTP/1.1 200 OK

更新

  • 如果在WLResourceRequest中发送范围,则可以避免HTTP 401和403调用外部资源,并且可以避免对MFP进行多次调用
  • 它使用绝对URL生成一个调用外部资源的新令牌,但也使用相对URL调用标准受保护的适配器

调用受保护适配器的示例:

var resourceRequest = new WLResourceRequest(
    "/adapters/AOS42_AOV_API/resource/protectedResource",
    WLResourceRequest.GET,
    {'scope' : 'aovLogin'} // it avoids 401 and 403 responses
);

resourceRequest.send().then(
    function (response) {
        alert("response ok protectedResource " + response.responseText);
    },
    function (response) {
        alert("response ko protectedResource " + response.responseText);
    }
);

调用外部资源的示例:

var resourceRequest = new WLResourceRequest(
    "https://someurl.com/someApp/protectedResource",
    WLResourceRequest.GET,
    {'scope' : 'aovLogin'} // it avoids 401 and 403 responses
);

更新2:

我们做了一个更改:现在我们之前调用WLAuthorizationManager.login,而不是调用受保护的外部资源,接收HTTP 401然后发送质询。

在Android中,它会在每次通话前继续调用MFP 3次,但现在服务器会返回相同的承载令牌。

相同的Cordova应用程序调用受MFP保护的相同Rest API并在MFP中使用相同的安全适配器在iOS中完美运行。 获得承载后,我们只看到对外部API的调用。

1 个答案:

答案 0 :(得分:1)

此错误已在刚刚发布的iFix for MobileFirst Foundation 8.0中得到解决。内部版本号为8.0.0.0-IF20170125-0919。请登录IBM Fix Central以下载iFix。

相关的APAR是:
PI74988多个授权呼叫可用于安卓应用中的每个休闲呼叫

由于您正在使用Cordova,我认为将cordova-plugin-mfp插件更新为@ 8.0.2017012210就足够了。

相关问题
最新问题