Spring Security 将来分配的Azure AD B2C承载令牌“nbf”值

eblbsuwk  于 2023-01-09  发布在  Spring
关注(0)|答案(1)|浏览(131)

我正在使用Azure AD B2C设置。
我需要一些公共路径,以及其他需要认证的JWT才能访问的东西。我只是想用一个简单的例子让它们在本地工作。所以还没有作用域。
我正在使用授权代码流。
我的React很有趣--但我不太明白。它表明我的令牌还没有准备好?("nbf"值大约是在40分钟后发出的。)
任何想法,提示或见解将非常感谢!!
是否有办法同步Azure AD B2c上的时钟?

Response:
{
...
WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Jwt used before 2021-08-31T10:51:59Z", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
...
}

无记名令牌为nbf提供一个历元@2021年8月31日星期二6:51:59 AM GMT-04:00 DST:

{
  "iss": "https://<aad b2c dir name>.b2clogin.com/tfp/*<uuid: azure ad directory id>*/b2c_1_signin/v2.0/",
  "exp": 1630410719,
  "nbf": 1630407119,
  "aud": "<uuid: Spring App client id>",
  "oid": "00af8715-0d5b-471b-bd2a-bf24c301c4eb",
  "sub": "00af8715-0d5b-471b-bd2a-bf24c301c4eb",
  "name": "...",
  "given_name": "...",
  "family_name": "...",
  "tfp": "B2C_1_signin",
  "scp": "Organizaiton.Read",
  "azp": "<uuid: Spring App client id>",
  "ver": "1.0",
  "iat": 1630407119
}

应用程序日志滞后3分钟:(本地计算机-我已将时间与时间服务器同步)

2021-08-31 06:48:59.786 DEBUG 19258 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer      : Before fill(): parsingHeader: [true], parsingRequestLine: [true], parsingRequestLinePhase: [0], parsingRequestLineStart: [0], byteBuffer.position(): [0], byteBuffer.limit(): [0], end: [0]
2021-08-31 06:48:59.789 DEBUG 19258 --- [nio-8080-exec-2] o.a.tomcat.util.net.SocketWrapperBase    : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@37f715bf:org.apache.tomcat.util.net.SecureNioChannel@72f58d25:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:8080 remote=/0:0:0:0:0:0:0:1:35298]], Read from buffer: [0]
2021-08-31 06:48:59.790 DEBUG 19258 --- [nio-8080-exec-2] org.apache.tomcat.util.net.NioEndpoint   : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@37f715bf:org.apache.tomcat.util.net.SecureNioChannel@72f58d25:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:8080 remote=/0:0:0:0:0:0:0:1:35298]], Read direct from socket: [1510]
2021-08-31 06:48:59.790 DEBUG 19258 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer      : Received [GET /org/85aaa62b-5cbd-486d-b0a2-51e63a9772d7/study/getMembersByStudyId?studyId=03ad2704-728b-40b2-a24e-787c655b7b46 HTTP/1.1
SdkVersion: postman-graph/v2.0
Authorization: Bearer <...>
User-Agent: PostmanRuntime/7.28.3
Accept: */*
Cache-Control: no-cache
Postman-Token: 692e411b-91d7-48a4-a1c4-7b79ac58e5f3
Host: localhost:8080
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: JSESSIONID=D238CDCAF4E81EEE3C26F5F55B8B930A

]
2021-08-31 06:48:59.798 DEBUG 19258 --- [nio-8080-exec-2] o.a.t.util.http.Rfc6265CookieProcessor   : Cookies: Parsing b[]: JSESSIONID=D238CDCAF4E81EEE3C26F5F55B8B930A
2021-08-31 06:48:59.800 DEBUG 19258 --- [nio-8080-exec-2] o.a.catalina.connector.CoyoteAdapter     :  Requested cookie session id is D238CDCAF4E81EEE3C26F5F55B8B930A
2021-08-31 06:48:59.803 DEBUG 19258 --- [nio-8080-exec-2] o.a.c.authenticator.AuthenticatorBase    : Security checking request GET /org/85aaa62b-5cbd-486d-b0a2-51e63a9772d7/study/getMembersByStudyId
2021-08-31 06:48:59.804 DEBUG 19258 --- [nio-8080-exec-2] org.apache.catalina.realm.RealmBase      :   No applicable constraints defined
2021-08-31 06:48:59.819 DEBUG 19258 --- [nio-8080-exec-2] o.a.c.a.jaspic.AuthConfigFactoryImpl     : Loading persistent provider registrations from [/tmp/tomcat.8080.14472900442435584992/conf/jaspic-providers.xml]
2021-08-31 06:48:59.819 DEBUG 19258 --- [nio-8080-exec-2] o.a.c.authenticator.AuthenticatorBase    : Not subject to any constraint
2021-08-31 06:48:59.822  INFO 19258 --- [nio-8080-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-08-31 06:48:59.823  INFO 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2021-08-31 06:48:59.823 TRACE 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : Detected org.springframework.web.multipart.support.StandardServletMultipartResolver@40a9f818
2021-08-31 06:48:59.825 TRACE 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : Detected org.springframework.web.servlet.i18n.AcceptHeaderLocaleResolver@2d0d23ac
2021-08-31 06:48:59.826 TRACE 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : Detected org.springframework.web.servlet.theme.FixedThemeResolver@2c06ef36
2021-08-31 06:48:59.827 TRACE 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : Detected DefaultRequestToViewNameTranslator
2021-08-31 06:48:59.828 TRACE 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : Detected SessionFlashMapManager
2021-08-31 06:48:59.828 DEBUG 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data
2021-08-31 06:48:59.828  INFO 19258 --- [nio-8080-exec-2] o.s.web.servlet.DispatcherServlet        : Completed initialization in 5 ms
2021-08-31 06:48:59.833 DEBUG 19258 --- [nio-8080-exec-2] o.apache.catalina.core.StandardWrapper   :   Returning non-STM instance
2021-08-31 06:48:59.869 TRACE 19258 --- [nio-8080-exec-2] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.sciteline.controllers.StudyController#getMembersByStudyId(UUID, UUID)
2021-08-31 06:48:59.871 DEBUG 19258 --- [nio-8080-exec-2] org.apache.tomcat.util.http.Parameters   : Set encoding to UTF-8
2021-08-31 06:48:59.872 DEBUG 19258 --- [nio-8080-exec-2] org.apache.tomcat.util.http.Parameters   : Decoding query null UTF-8
2021-08-31 06:48:59.872 DEBUG 19258 --- [nio-8080-exec-2] org.apache.tomcat.util.http.Parameters   : Start processing with input [studyId=03ad2704-728b-40b2-a24e-787c655b7b46]
2021-08-31 06:48:59.930 DEBUG 19258 --- [nio-8080-exec-2] o.s.web.client.RestTemplate              : HTTP GET https://scitelineapps.b2clogin.com/scitelineapps.onmicrosoft.com/b2c_1_signin/discovery/v2.0/keys
2021-08-31 06:48:59.934 DEBUG 19258 --- [nio-8080-exec-2] o.s.web.client.RestTemplate              : Accept=[text/plain, application/json, application/*+json, */*]
2021-08-31 06:49:00.660 DEBUG 19258 --- [nio-8080-exec-2] o.s.web.client.RestTemplate              : Response 200 OK
2021-08-31 06:49:00.663 DEBUG 19258 --- [nio-8080-exec-2] o.s.web.client.RestTemplate              : Reading to [java.lang.String] as "application/json;charset=utf-8"
2021-08-31 06:49:00.701 DEBUG 19258 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer      : Before fill(): parsingHeader: [true], parsingRequestLine: [true], parsingRequestLinePhase: [0], parsingRequestLineStart: [0], byteBuffer.position(): [0], byteBuffer.limit(): [0], end: [1510]
2021-08-31 06:49:00.702 DEBUG 19258 --- [nio-8080-exec-2] o.a.tomcat.util.net.SocketWrapperBase    : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@37f715bf:org.apache.tomcat.util.net.SecureNioChannel@72f58d25:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:8080 remote=/0:0:0:0:0:0:0:1:35298]], Read from buffer: [0]
2021-08-31 06:49:00.702 DEBUG 19258 --- [nio-8080-exec-2] org.apache.tomcat.util.net.NioEndpoint   : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@37f715bf:org.apache.tomcat.util.net.SecureNioChannel@72f58d25:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:8080 remote=/0:0:0:0:0:0:0:1:35298]], Read direct from socket: [0]
2021-08-31 06:49:00.702 DEBUG 19258 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer      : Received []

这只是我的配置,以防你看到什么奇怪的东西,或有建议:
以下是Web安全配置:
一个三个三个一个
application.properties:

...
azure.activedirectory.client-id=<client_id>
azure.activedirectory.app-id-uri=api://<client_id>
spring.security.oauth2.resourceserver.jwt.jwk-set-uri:https://<az ad b2c directory>.b2clogin.com/<azure ad b2c tenant>/b2c_1_signin/discovery/v2.0/keys
spring.security.filter.order=101
server.max-http-header-size=20KB
...
r7s23pms

r7s23pms1#

对于Posterity,根本原因与配置无关,而是本地运行的应用程序服务器的时间落后。
WSL中的应用程序服务器和WSL OS时间运行在系统时钟和AD服务器之后。
WSL问题已在WSL的更高版本中得到修补。
如果您尚未更新WSL,可以手动重置时钟:第一个月
Similar issue with WSL Clock

相关问题