我正在尝试使用@EnableAuthorizationServer和内存中的客户端在Spring Boot中为OAuth2授权服务器开发一个简单的POC。
我的Web安全配置类如下:
package com.example.authservice;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests().
antMatchers("/", "/login**", "/oauth/authorize", "/oauth/authorize**")
.permitAll().
anyRequest()
.authenticated();
}
}
授权服务器的配置如下:
package com.example.authservice;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().
withClient("auth-client").
secret("secret-key").
authorizedGrantTypes("authorization_code").
scopes("openid");
}
}
这是基于“授权代码”授予流程的,当我尝试获取代码(将在下一次调用中使用以获取访问令牌)时,出现了“未经授权”错误。
curl -X GET \
'http://localhost:8080/oauth/authorize?client_id=auth-client&client_secret=secret-key&grant_type=authorization_code&response_type=code'
错误:
{
"timestamp": "2019-03-20T15:35:41.009+0000",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/oauth/authorize"
}
我假定由于我的Web安全配置中允许使用/oauth/authorize,因此它应该返回可用于获取访问令牌的代码。有谁知道可能出什么问题了。
答案 0 :(得分:1)
/oauth/authorize
是默认的授权服务器端点,这意味着它具有高优先级的安全级别。
authorizeRequests().antMatchers("/oauth/authorize").permitAll()
不适用于Spring Security默认API。如果您使用浏览器测试诸如此类的东西会更好
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication().passwordEncoder(new PasswordEncoder() {
@Override
public String encode(CharSequence charSequence) {
return charSequence.toString();
}
@Override
public boolean matches(CharSequence charSequence, String s) {
return s.equals(charSequence.toString());
}
})
.withUser("gig")
.password("123456")
.roles("USER");
}
此外,最好在作用域之后添加redirectUris。 我的测试网址
http://localhost:8080/oauth/authorize?response_type=code&client_id=auth-client-&redirect_uri=http://www.baidu.com&scope=all
答案 1 :(得分:0)
当用户尝试通过调用/oauth/authorize来生成授权码时,应告知用户他/她是谁,即进行身份验证。这就是授权端点知道用户是否获得此令牌的方式。因此,身份验证是我服务中缺少的重要部分。在Spring Boot中,身份验证由AuthenticationManager处理。
要添加缺失的部分,下面是WebSecurityConfigurerAdapter.java的修改版本:
package com.example.authservice;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated()
.and().
httpBasic();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("ROLE");
}
}
这会将基本HTTP身份验证添加到Spring Boot服务。现在,当您尝试使用HTTP基本身份验证调用/oauth/authorize时,它将成功重定向到您传递的redirect_uri。