我正在使用Spring Authorization Server开发OAuth2授权服务器。我需要支持客户端凭据流,并且我希望客户端在POST请求的JSON请求主体中发送客户端ID和密码。
我的配置非常简单,基本上都是默认设置,带有一个自定义的RegisteredClientRepository
:
@Configuration
@Import(OAuth2AuthorizationServerConfiguration.class)
public class AuthorizationServerConfig {
@Bean
@Primary
public RegisteredClientRepository registeredClientRepository(UserRepository repository) {
return repository;
}
}
UserRepository中的findByClientId
方法如下所示:
@Repository
@RequiredArgsConstructor
public class UserRepository implements RegisteredClientRepository {
private final UserDao UserDao;
@Override
public RegisteredClient findByClientId(String clientId) {
return userDao.findByClientId(clientId)
.map(this::toRegisteredClient)
.orElse(null);
}
private RegisteredClient toRegisteredClient(User user) {
return RegisteredClient.withId(String.valueOf(user.getId()))
.clientName(user.getName())
.clientId(user.getClientId())
.clientSecret(user.getClientSecret())
.clientAuthenticationMethod(CLIENT_SECRET_BASIC)
.clientAuthenticationMethod(CLIENT_SECRET_POST)
.authorizationGrantType(CLIENT_CREDENTIALS)
.scope("TEST")
.clientSettings(
ClientSettings.builder().requireAuthorizationConsent(false).build()
)
.build();
}
}
假设客户端id为user
,密码为password
。
使用基本身份验证请求令牌的工作原理:
curl -X POST --header "Authorization: Basic dXNlcjpwYXNzd29yZA==" http://localhost:8080/oauth2/token\?grant_type\=client_credentials
我还可以使用请求URI参数请求令牌:
curl -X POST http://localhost:8080/oauth2/token\?grant_type\=client_credentials\&client_id\=user\&client_secret\=password
但是当我尝试在请求主体中以JSON形式发送凭据时,我收到了一个HTTP 401错误:
curl --header "Content-Type: application/json" -d '{"grant_type": "client_credentials", "client_id": "user", "client_secret": "password"}' http://localhost:8080/oauth2/token
以下是服务器端记录的内容:
DEBUG 2021-10-18 16:04:31,287 [393-exec-4] FilterChainProxy - Securing POST /oauth2/token
DEBUG 2021-10-18 16:04:31,287 [393-exec-4] SecurityContextPersistenceFilter - Set SecurityContextHolder to empty SecurityContext
DEBUG 2021-10-18 16:04:31,287 [393-exec-4] AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
DEBUG 2021-10-18 16:04:31,288 [393-exec-4] FilterSecurityInterceptor - Failed to authorize filter invocation [POST /oauth2/token] with attributes [authenticated]
DEBUG 2021-10-18 16:04:31,288 [393-exec-4] HttpSessionSecurityContextRepository - Did not store empty SecurityContext
DEBUG 2021-10-18 16:04:31,288 [393-exec-4] SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request
我该怎么做才能让它发挥作用呢?
另外,为什么Spring授权服务器支持将客户端凭据作为请求URI参数发送?OAuth 2.1规范的第2.3节特别指出,不能使用请求URI参数,因为这被认为是不安全的。
2条答案
按热度按时间nhn9ugyo1#
您可以为客户端身份验证配置提供一个
AuthenticationConverter
,如下所示:h7appiyu2#
1 -设置使用POST主体调用的能力
1.发送带有url编码参数的POST请求并获取令牌作为结果: