当我使用正确的客户端凭据访问api http://localhost:8083/oauth/token
(granttype密码)时,我正在尝试生成令牌,它将对客户端进行4次身份验证,然后检查用户。再次验证用户身份,再次对客户端进行2次检查。
如果我输入了错误的客户凭证,它会检查一次。
AuthServerConfig:
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired private AuthenticationManager authenticationManager;
@Autowired private TokenStore tokenStore;
@Autowired(required = false) private JwtAccessTokenConverter accessTokenConverter;
@Bean
public MongoClientDetailsService clientDetailsService() {
return new MongoClientDetailsService();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService());
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenServices(tokenServices())
.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
oauthServer.allowFormAuthenticationForClients();
}
@Primary
@Bean
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore);
defaultTokenServices.setSupportRefreshToken(true);
defaultTokenServices.setTokenEnhancer(accessTokenConverter);
defaultTokenServices.setClientDetailsService(clientDetailsService());
return defaultTokenServices;
}
}
AuthServerSecurityConfig:
@Configuration
public class AuthServerSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
protected UserDetailsService userDetailsService() {
return new MongoUserDetailsService();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/oauth/token/");
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Bean(name="authenticationManager")
@Lazy
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}