Spring Boot userinfo端点的insufficient_scope响应和jwt标记中缺少范围

dgsult0t  于 2023-02-16  发布在  Spring
关注(0)|答案(1)|浏览(340)

在我将Spring授权服务器从0.3.1迁移到1.0.0之后,我发现userInfo端点返回403insufficient_scope,在验证两个版本之间的登录过程后,我发现端点POST oauth2/token没有返回作用域,jwt标记也不包含作用域,但在尝试登录时已经提到了URL中的作用域参数。
我正在使用以下配置:

registeredClient = RegisteredClient.withId(new ObjectId().toString())
                .clientId(oauthClient)
                .clientSecret(passwordEncoder().encode(oauthClientSecret))
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                .redirectUris(uris -> uris.addAll(redirectUris))
                .scope(OidcScopes.OPENID)
                .scope(OidcScopes.PROFILE)
                .tokenSettings(TokenSettings
                        .builder()
                        .accessTokenTimeToLive(Duration.ofHours(8))
                        .build())
                .clientSettings(ClientSettings
                        .builder()
                        .requireProofKey(true)
                        .requireAuthorizationConsent(false)
                        .build())
                .build();

这是Http配置:

SecurityFilterChain securityFilterChain = http
            .authorizeHttpRequests(authorizeRequests -> authorizeRequests
                    .requestMatchers(WELL_KNOWN_OPENID_CONFIGURATION).permitAll()
                    .requestMatchers("/logout-success").permitAll()
                    .requestMatchers("/api/health/status").permitAll()
                    .requestMatchers("/assets/**", "/webjars/**", "/login").permitAll()
                    .anyRequest().authenticated())
            .formLogin(form -> form
                    .loginPage("/login")
                    .failureUrl("/login-error")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .permitAll())
            .logout()
            .logoutSuccessUrl("/logout-success")
            .deleteCookies("JSESSIONID")
            .invalidateHttpSession(true)
            .and()
            .build();

我正在使用这些URL来测试登录流程:

http://localhost:9000/oauth2/authorize?scope=openid&response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256&redirect_uri=https://frontlocal:4600

http://localhost:9000/oauth2/token?grant_type=authorization_code&scope=openid&code=<code>&code_verifier=<code_verifer>&client_id=<client_id>&redirect_uri=https://frontlocal:4600
    • 更新**
2023-01-26T20:30:11.030+01:00 TRACE 150437 --- [io-9000-exec-10] o.s.security.web.FilterChainProxy        : Invoking OAuth2TokenEndpointFilter (20/23)
2023-01-26T20:30:11.031+01:00 TRACE 150437 --- [io-9000-exec-10] o.s.security.web.FilterChainProxy        : Invoking OAuth2TokenIntrospectionEndpointFilter (21/23)
2023-01-26T20:30:11.031+01:00 TRACE 150437 --- [io-9000-exec-10] o.s.security.web.FilterChainProxy        : Invoking OAuth2TokenRevocationEndpointFilter (22/23)
2023-01-26T20:30:11.031+01:00 TRACE 150437 --- [io-9000-exec-10] o.s.security.web.FilterChainProxy        : Invoking OidcUserInfoEndpointFilter (23/23)
2023-01-26T20:30:11.031+01:00 TRACE 150437 --- [io-9000-exec-10] o.s.s.authentication.ProviderManager     : Authenticating request with OidcUserInfoAuthenticationProvider (1/13)
2023-01-26T20:30:13.819+01:00 TRACE 150437 --- [io-9000-exec-10] a.o.a.OidcUserInfoAuthenticationProvider : Retrieved authorization with access token
2023-01-26T20:30:13.821+01:00 DEBUG 150437 --- [io-9000-exec-10] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2023-01-26T20:30:13.822+01:00 TRACE 150437 --- [io-9000-exec-10] s.s.o.s.a.o.w.OidcUserInfoEndpointFilter : User info request failed: [insufficient_scope] 

org.springframework.security.oauth2.core.OAuth2AuthenticationException: null
    at org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationProvider.authenticate(OidcUserInfoAuthenticationProvider.java:99) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.0.1.jar:6.0.1]
    at org.springframework.security.authentication.ObservationAuthenticationManager.lambda$authenticate$1(ObservationAuthenticationManager.java:53) ~[spring-security-core-6.0.1.jar:6.0.1]
    at io.micrometer.observation.Observation.observe(Observation.java:559) ~[micrometer-observation-1.10.2.jar:1.10.2]
    at org.springframework.security.authentication.ObservationAuthenticationManager.authenticate(ObservationAuthenticationManager.java:52) ~[spring-security-core-6.0.1.jar:6.0.1]
    at org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter.doFilterInternal(OidcUserInfoEndpointFilter.java:116) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.3.jar:6.0.3]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:186) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:173) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:134) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter.doFilterInternal(OAuth2TokenRevocationEndpointFilter.java:103) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.3.jar:6.0.3]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:186) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:173) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:134) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter.doFilterInternal(OAuth2TokenIntrospectionEndpointFilter.java:106) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.3.jar:6.0.3]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:186) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:173) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:134) ~[spring-security-web-6.0.1.jar:6.0.1]
    at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter.doFilterInternal(OAuth2TokenEndpointFilter.java:147) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.3.jar:6.0.3]
    ...
    ...

2023-01-26T20:30:13.827+01:00 TRACE 150437 --- [io-9000-exec-10] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
1wnzp6jl

1wnzp6jl1#

spring-authorization-server/samples/messages-client/src/main/resources/application.yml中添加openid作用域

messaging-client-authorization-code:
            provider: spring
            client-id: messaging-client
            client-secret: secret
            authorization-grant-type: authorization_code
            redirect-uri: "http://127.0.0.1:8080/authorized"
            scope: openid, message.read,message.write
            client-name: messaging-client-authorization-code

下面是示例http请求/响应:

GET http://127.0.0.1:9000/userinfo
Authorization: Bearer <your token>

###

{
  "sub": "user1"
}

适用于spring-authorization-server的1.0.0版本

相关问题