使用具有授权代码流的有效刷新令牌获取新令牌时出错

时间:2016-12-15 12:48:37

标签: oauth-2.0 wso2is wso2-am refresh-token

我正在使用WSO2 API管理器1.10.0,其中WSO2 Identity Server 5.1.0配置为密钥管理器,MySQL Community Server 5.6配置为数据库。当我尝试刷新使用授权代码授予类型获得的令牌(refresh_token授权类型)时,我收到400错误请求错误(invalid_grant - 提供的授权授予无效),我无法获得新令牌。然后我尝试使用client_credentials和密码授权类型,对于那些我能够刷新令牌的那些。

我检查了Identity Server日志,发现Identity Server尝试检索最新令牌时出现错误(下面的日志)。

TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Access Token request received for Client ID OQU0_FyRQcdvTFbygziFw67ASHwa, User ID null, Scope : [openid, profile] and Grant Type : refresh_token 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} -  Can authenticate with client ID and Secret. Client ID: OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} -  Grant type : refresh_token Strict client validation set to : null 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Client credentials were available in the cache for client id : OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Successfully authenticated the client with client id : OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler} -  Error while retrieving the latest refresh token 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -  Invalid Grant provided by the client Id: OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -  OAuth-Error-Code=invalid_grant client-id=OQU0_FyRQcdvTFbygziFw67ASHwa grant-type=refresh_token scope=openid profile 
TID: [-1234] [] [2016-12-15 12:40:06,492] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} -  Running deployment synchronizer update... tenant : carbon.super 
TID: [-1234] [] [2016-12-15 12:40:06,588] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} -  Running deployment synchronizer commit... tenant : carbon.super 

我调试了source code,我认为该问题可能与以下SQL查询有关,特别是与USER_DOMAIN = null子句有关。

SELECT ACCESS_TOKEN, REFRESH_TOKEN, TIME_CREATED, REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD, TOKEN_STATE, USER_TYPE, TOKEN_ID, SUBJECT_IDENTIFIER FROM IDN_OAUTH2_ACCESS_TOKEN WHERE CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE CONSUMER_KEY = 'OQU0_FyRQcdvTFbygziFw67ASHwa') AND AUTHZ_USER='michael.pinheiro' AND TENANT_ID=-1234 AND USER_DOMAIN=null AND TOKEN_SCOPE_HASH='369db21a386ae433e65c0ff34d35708d' ORDER BY TIME_CREATED DESC LIMIT 1

我还注意到,在使用授权代码授予类型时,表IDN_OAUTH2_ACCESS_TOKEN中创建的访问令牌将用户域列设置为NULL,但是当使用password或client_credentials grant type时,值为“PRIMARY”。

可能是一个错误,还是我错过了在创建新访问令牌时以某种方式将用户域设置为PRIMARY的任何参数?

我写下了为重现问题而执行的所有步骤:

第1步: 我通过重定向到https://identity-dev.domain.pt/oauth2/authorize?response_type=code&client_id=OQU0_FyRQcdvTFbygziFw67ASHwa&scope=openid个人资料& redirect_uri = http://localhost:8100来获取授权码

第2步: 使用上一步中收到的代码,我通过执行:

获取访问令牌(和刷新令牌)

curl -X POST -H"内容类型:application / x-www-form-urlencoded" -d' grant_type = authorization_code& client_id = OQU0_FyRQcdvTFbygziFw67ASHwa& client_secret = 3kC6Uf9f8Lr8HVl2n03dhQc57Jsa& scope = openid profile& code = fd2f827afefba0ab0b17f9d701ad1488& redirect_uri = http://localhost:8100' " https://identity-dev.domain.pt/oauth2/token"

第3步: 使用上一步中收到的刷新令牌,我执行以下请求以获取新令牌,但是我收到了400错误请求,如本文所述。

curl -X POST -H"授权:基本T1FVMF9GeVJRY2R2VEZieWd6aUZ3NjdBU0h3YToza0M2VWY5ZjhMcjhIVmwybjAzZGhRYzU3SnNh" -H"内容类型:application / x-www-form-urlencoded" -H"接受:application / json" -d' grant_type = refresh_token& scope = openid profile& refresh_token = 7a7da99d70d48e10ac82e3681c63b0a1' " https://identity-dev.domain.pt/oauth2/token"

欢迎任何帮助!

1 个答案:

答案 0 :(得分:0)

此问题已在[1]中报告并在后续版本中修复。请参阅jira链接中的修复程序。您可以尝试使用API​​M 2.0.0,并将IS 5.2.0配置为密钥管理器

[1] https://wso2.org/jira/browse/IDENTITY-4322