无法启用具有JSON请求正文的Spring授权服务器令牌请求

gjmwrych  于 2022-10-30  发布在  Spring
关注(0)|答案(2)|浏览(217)

我正在使用Spring Authorization Server开发OAuth2授权服务器。我需要支持客户端凭据流,并且我希望客户端在POST请求的JSON请求主体中发送客户端ID和密码。
我的配置非常简单,基本上都是默认设置,带有一个自定义的RegisteredClientRepository

@Configuration
@Import(OAuth2AuthorizationServerConfiguration.class)
public class AuthorizationServerConfig {
    @Bean
    @Primary
    public RegisteredClientRepository registeredClientRepository(UserRepository repository) {
        return repository;
    }
}

UserRepository中的findByClientId方法如下所示:

@Repository
@RequiredArgsConstructor
public class UserRepository implements RegisteredClientRepository {
    private final UserDao UserDao;

    @Override
    public RegisteredClient findByClientId(String clientId) {
        return userDao.findByClientId(clientId)
            .map(this::toRegisteredClient)
            .orElse(null);
    }

    private RegisteredClient toRegisteredClient(User user) {
        return RegisteredClient.withId(String.valueOf(user.getId()))
            .clientName(user.getName())
            .clientId(user.getClientId())
            .clientSecret(user.getClientSecret())
            .clientAuthenticationMethod(CLIENT_SECRET_BASIC)
            .clientAuthenticationMethod(CLIENT_SECRET_POST)
            .authorizationGrantType(CLIENT_CREDENTIALS)
            .scope("TEST")
            .clientSettings(
                ClientSettings.builder().requireAuthorizationConsent(false).build()
            )
            .build();
    }
}

假设客户端id为user,密码为password
使用基本身份验证请求令牌的工作原理:

curl -X POST --header "Authorization: Basic dXNlcjpwYXNzd29yZA==" http://localhost:8080/oauth2/token\?grant_type\=client_credentials

我还可以使用请求URI参数请求令牌:

curl -X POST http://localhost:8080/oauth2/token\?grant_type\=client_credentials\&client_id\=user\&client_secret\=password

但是当我尝试在请求主体中以JSON形式发送凭据时,我收到了一个HTTP 401错误:

curl --header "Content-Type: application/json" -d '{"grant_type": "client_credentials", "client_id": "user", "client_secret": "password"}' http://localhost:8080/oauth2/token

以下是服务器端记录的内容:

DEBUG 2021-10-18 16:04:31,287 [393-exec-4] FilterChainProxy - Securing POST /oauth2/token
DEBUG 2021-10-18 16:04:31,287 [393-exec-4] SecurityContextPersistenceFilter - Set SecurityContextHolder to empty SecurityContext
DEBUG 2021-10-18 16:04:31,287 [393-exec-4] AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
DEBUG 2021-10-18 16:04:31,288 [393-exec-4] FilterSecurityInterceptor - Failed to authorize filter invocation [POST /oauth2/token] with attributes [authenticated]
DEBUG 2021-10-18 16:04:31,288 [393-exec-4] HttpSessionSecurityContextRepository - Did not store empty SecurityContext
DEBUG 2021-10-18 16:04:31,288 [393-exec-4] SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request

我该怎么做才能让它发挥作用呢?
另外,为什么Spring授权服务器支持将客户端凭据作为请求URI参数发送?OAuth 2.1规范的第2.3节特别指出,不能使用请求URI参数,因为这被认为是不安全的。

nhn9ugyo

nhn9ugyo1#

您可以为客户端身份验证配置提供一个AuthenticationConverter,如下所示:

@Bean
   @Order(1)
   public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
      OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
            new OAuth2AuthorizationServerConfigurer<>();
      RequestMatcher endpointsMatcher = authorizationServerConfigurer
            .getEndpointsMatcher();
      authorizationServerConfigurer.clientAuthentication((clientAuth) -> 
            clientAuth.authenticationConverter(myCustomAuthenticationConverter()) // provide your auth converter
      );

//    OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); the code above is copied from here

      http
            .requestMatcher(endpointsMatcher)
            .authorizeRequests(authorizeRequests ->
                  authorizeRequests.anyRequest().authenticated()
            )
            .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
            .apply(authorizationServerConfigurer);

      return http.formLogin(Customizer.withDefaults()).build();
   }
h7appiyu

h7appiyu2#

1 -设置使用POST主体调用的能力

@Bean
  public RegisteredClientRepository registeredClientRepository() {
    RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
... (here your configs)
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)

1.发送带有url编码参数的POST请求并获取令牌作为结果:

相关问题