Question

我有一个授权服务器（http://localhost:8082），资源服务器和隐式客户端（http://localhost:8080）项目。问题是当客户端请求授权（令牌）时，auth服务器会显示登录屏幕，但在成功登录后，它会重定向到GET http://localhost:8082/而不是http://localhost:8082/authorize?client_id= ...（根据要求）由客户）

我看到了这个日志：

隐含客户：

.s.o.c.t.g.i.ImplicitAccessTokenProvider : Retrieving token from http://localhost:8082/oauth/authorize
o.s.web.client.RestTemplate              : Created POST request for "http://localhost:8082/oauth/authorize"
.s.o.c.t.g.i.ImplicitAccessTokenProvider : Encoding and sending form: {response_type=[token], client_id=[themostuntrustedclientid], scope=[read_users write_users], redirect_uri=[http://localhost:8080/api/accessTokenExtractor]}
o.s.web.client.RestTemplate              : POST request for "http://localhost:8082/oauth/authorize" resulted in 302 (null)
o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor'

验证服务器：

o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /oauth/authorize' doesn't match 'GET /**
o.s.s.w.util.matcher.AndRequestMatcher   : Did not match
o.s.s.w.s.HttpSessionRequestCache        : Request not saved as configured RequestMatcher did not match
o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://localhost:8082/login'

隐式客户端正在POST / for / oauth / authorize，而不是GETting它，并且authserver不存储POST请求。 auth服务器返回重定向302，隐式客户端将浏览器重定向到此URL：http://localhost:8082/login?client_id=themostuntrustedclientid&response_type=token&redirect_uri=http://localhost:8080/api/accessTokenExtractor

成功登录后，auth服务器没有目标网址，因此显示http://localhost:8082/，因此它不会处理任何/ oauth / authorize请求...问题出在哪里？

AUTH SERVER CONFIG：

@Configuration
class OAuth2Config extends AuthorizationServerConfigurerAdapter{

    @Autowired
    private AuthenticationManager authenticationManager

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("themostuntrustedclientid")
            .secret("themostuntrustedclientsecret")
            .authorizedGrantTypes("implicit")
            .authorities("ROLE_USER")
            .scopes("read_users", "write_users")
            .accessTokenValiditySeconds(60)     
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(this.authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        //security.checkTokenAccess('hasRole("ROLE_RESOURCE_PROVIDER")')
        security.checkTokenAccess('isAuthenticated()')
    }

}

@Configuration
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER').and()
                                     .withUser("themostuntrustedclientid").password("themostuntrustedclientsecret").roles('USER')
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf()
            //
            //XXX Si se usa implicit descomentar
            .ignoringAntMatchers("/oauth/authorize")
            .and()
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        //.httpBasic()
        .formLogin()
            .loginPage("/login").permitAll()
    }

}

隐含客户端配置：

@Configuration
class OAuth2Config {

    @Value('${oauth.authorize:http://localhost:8082/oauth/authorize}')
    private String authorizeUrl

    @Value('${oauth.token:http://localhost:8082/oauth/token}')
    private String tokenUrl

    @Autowired
    private OAuth2ClientContext oauth2Context

    @Bean
    OAuth2ProtectedResourceDetails resource() {
        ImplicitResourceDetails resource = new ImplicitResourceDetails()
        resource.setAuthenticationScheme(AuthenticationScheme.header)
        resource.setAccessTokenUri(authorizeUrl)
        resource.setUserAuthorizationUri(authorizeUrl);
        resource.setClientId("themostuntrustedclientid")
        resource.setClientSecret("themostuntrustedclientsecret")
        resource.setScope(['read_users', 'write_users'])
        resource
    }

    @Bean
    OAuth2RestTemplate restTemplate() {
        OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource(), oauth2Context)
        //restTemplate.setAuthenticator(new ApiConnectOAuth2RequestAuthenticator())
        restTemplate
    }

@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.eraseCredentials(false)
            .inMemoryAuthentication().withUser("jose").password("mypassword").roles('USER')
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf()
            .ignoringAntMatchers("/accessTokenExtractor")
        .and()
        .authorizeRequests()
        .anyRequest().hasRole('USER')
        .and()
        .formLogin()
            .loginPage("/login").permitAll()
    }

}

Answer 1

问题出在Auth服务器的SecurityConfig中。隐式客户端使用client_id和client_secret自动发送基本Authorization标头。我的Auth服务器配置为使用表单登录而不是基本身份验证。我改变了它，现在它按预期工作：

if ($context == 'com_content.article' && $article->alias && $isNew) {

Spring OAuth2隐式流 - Auth服务器不处理POST / oauth / authorize请求

1 个答案: