我正在创建一个具有密码授权的授权服务器。配置如下:
@Configuration
@EnableWebSecurity
public class AuthorisationServerConfig {
private final RSAProperties rsaProperties;
AuthorisationServerConfig(final RSAProperties rsaProperties){
this.rsaProperties=rsaProperties;
}
@Bean
public RegisteredClientRepository registeredClientRepository() {
RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.PASSWORD)
.scope("read")
.build();
return new InMemoryRegisteredClientRepository(registeredClient);
}
@Bean
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
//@formatter:off
httpSecurity
.authorizeHttpRequests(ar->ar.anyRequest().authenticated())
.csrf().disable()
.httpBasic();
//@formatter:on
return httpSecurity.build();
}
private static KeyPair generateRsaKey() throws NoSuchAlgorithmException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
return keyPairGenerator.generateKeyPair();
}
@Bean
public AuthorizationServerSettings providerSettings() {
return AuthorizationServerSettings.builder()
.issuer("http://localhost:9090")
.build();
}
@Bean
public JWKSource<SecurityContext> jwkSource() {
RSAKey rsaKey = new RSAKey.Builder(rsaProperties.publicKey()).privateKey(rsaProperties.privateKey()).build();
JWKSet jwkSet = new JWKSet(rsaKey);
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
@Bean
public UserDetailsService users() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("admin")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}我已经启用了调试日志,可以看到用户正在进行身份验证,但是我收到了令牌端点的404。
oauth/token?grant_type=password&username=admin&password=password&scope=read以下是日志:
o.s.security.web.FilterChainProxy : Securing POST /oauth/token?grant_type=password&username=admin&password=password&scope=read
o.s.s.a.dao.DaoAuthenticationProvider : Authenticated user
o.s.s.w.a.www.BasicAuthenticationFilter : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=admin, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]]
o.s.security.web.FilterChainProxy : Secured POST /oauth/token?grant_type=password&username=admin&password=password&scope=read
o.s.security.web.FilterChainProxy : Securing POST /error?grant_type=password&username=admin&password=password&scope=read
o.s.security.web.FilterChainProxy : Secured POST /error?grant_type=password&username=admin&password=password&scope=read以下是相关性详细信息:
plugins {
java
id("org.springframework.boot") version "3.0.1"
id("io.spring.dependency-management") version "1.1.0"
}
dependencies {
implementation("org.springframework.boot:spring-boot-starter")
implementation("org.springframework.security:spring-security-oauth2-authorization-server:1.0.0")
// https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-autoconfigure-processor
implementation("org.springframework.boot:spring-boot-autoconfigure-processor")
testImplementation("org.springframework.boot:spring-boot-starter-test")
}
1条答案
按热度按时间nmpmafwu1#
这里似乎有几个问题。
1.您使用了错误的终结点。
/oauth2/token是默认URI。password授权类型不受支持,因为它已从规范2.1版中删除。1.与此相关,
/oauth2/token端点的客户端身份验证是通过RegisteredClientRepository(通过clientId()和clientSecret())而不是UserDetailsService配置的。UserDetailsService用于配置最终用户的Spring Security身份验证,该身份验证仅用于authorization_code授权。因此,admin:password不是客户端身份验证的有效凭据,仅用于用户身份验证。