Spring授权服务器在认证用户之后返回404用于令牌端点

aiqt4smr  于 2023-03-16  发布在  Spring
关注(0)|答案(1)|浏览(209)

我正在创建一个具有密码授权的授权服务器。配置如下:

@Configuration
@EnableWebSecurity
public class AuthorisationServerConfig {

    private final RSAProperties rsaProperties;
    AuthorisationServerConfig(final RSAProperties rsaProperties){
        this.rsaProperties=rsaProperties;
    }

    @Bean
    public RegisteredClientRepository registeredClientRepository() {
        RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId("client")
                .clientSecret("{noop}secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.PASSWORD)
                .scope("read")
                .build();
        return new InMemoryRegisteredClientRepository(registeredClient);
    }

    @Bean
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        //@formatter:off
        httpSecurity
                .authorizeHttpRequests(ar->ar.anyRequest().authenticated())
                .csrf().disable()
                .httpBasic();
        //@formatter:on
        return httpSecurity.build();
    }


    private static KeyPair generateRsaKey() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        return keyPairGenerator.generateKeyPair();
    }

    @Bean
    public AuthorizationServerSettings providerSettings() {
        return AuthorizationServerSettings.builder()
                .issuer("http://localhost:9090")
                .build();
    }
    @Bean
    public JWKSource<SecurityContext> jwkSource() {
        RSAKey rsaKey = new RSAKey.Builder(rsaProperties.publicKey()).privateKey(rsaProperties.privateKey()).build();
        JWKSet jwkSet = new JWKSet(rsaKey);
        return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
    }

    @Bean
    public UserDetailsService users() {
        UserDetails user = User.withDefaultPasswordEncoder()
                .username("admin")
                .password("password")
                .roles("USER")
                .build();
        return new InMemoryUserDetailsManager(user);
    }
}

我已经启用了调试日志,可以看到用户正在进行身份验证,但是我收到了令牌端点的404。

oauth/token?grant_type=password&username=admin&password=password&scope=read

以下是日志:

o.s.security.web.FilterChainProxy        : Securing POST /oauth/token?grant_type=password&username=admin&password=password&scope=read
o.s.s.a.dao.DaoAuthenticationProvider    : Authenticated user
o.s.s.w.a.www.BasicAuthenticationFilter  : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=admin, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]]
o.s.security.web.FilterChainProxy        : Secured POST /oauth/token?grant_type=password&username=admin&password=password&scope=read
o.s.security.web.FilterChainProxy        : Securing POST /error?grant_type=password&username=admin&password=password&scope=read
o.s.security.web.FilterChainProxy        : Secured POST /error?grant_type=password&username=admin&password=password&scope=read

以下是相关性详细信息:

plugins {
    java
    id("org.springframework.boot") version "3.0.1"
    id("io.spring.dependency-management") version "1.1.0"
}

dependencies {
    implementation("org.springframework.boot:spring-boot-starter")
    implementation("org.springframework.security:spring-security-oauth2-authorization-server:1.0.0")
    // https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-autoconfigure-processor
    implementation("org.springframework.boot:spring-boot-autoconfigure-processor")
    testImplementation("org.springframework.boot:spring-boot-starter-test")
}
nmpmafwu

nmpmafwu1#

这里似乎有几个问题。
1.您使用了错误的终结点。/oauth2/token是默认URI。

  1. password授权类型不受支持,因为它已从规范2.1版中删除。
    1.与此相关,/oauth2/token端点的客户端身份验证是通过RegisteredClientRepository(通过clientId()clientSecret())而不是UserDetailsService配置的。
    UserDetailsService用于配置最终用户的Spring Security身份验证,该身份验证仅用于authorization_code授权。因此,admin:password不是客户端身份验证的有效凭据,仅用于用户身份验证。

相关问题