使用新的spring-security-oauth2-autorization-server重定向到/error而不是/oauth2/authorize

c9qzyr3d  于 2023-03-23  发布在  Spring
关注(0)|答案(1)|浏览(194)

我正在使用react客户端和new spring-security-oauth2-autorization-server。我已经按照video中的建议配置了public客户端。在我的本地机器上,输入登录名和密码后一切正常,auth服务器将我重定向到/oauth2/authorize,然后返回到react应用程序(带有代码)。但在测试环境中(在我的例子中,它是带有两个容器的Kubernetes)/error?client_id=public-client&redirect_uri=...上的auth服务器重定向。我启用了TRACE所有应用程序,但日志没有回答我问题在哪里。这里是日志的一部分。

20220513 14:26:58 DEBUG o.s.s.a.d.DaoAuthenticationProvider:199 - Authenticated user
20220513 14:26:58 TRACE o.s.b.f.s.DefaultListableBeanFactory:264 - Returning cached instance of singleton bean 'delegatingApplicationListener'
20220513 14:26:58 TRACE o.s.s.w.a.s.CompositeSessionAuthenticationStrategy:79 - Preparing session with ChangeSessionIdAuthenticationStrategy (1/2)
20220513 14:26:58 DEBUG o.s.s.w.a.s.ChangeSessionIdAuthenticationStrategy:99 - Changed session id from F2238B1D17F13C607CC13DD00AD262DF
20220513 14:26:58 TRACE o.s.b.f.s.DefaultListableBeanFactory:264 - Returning cached instance of singleton bean 'delegatingApplicationListener'
20220513 14:26:58 TRACE o.s.s.w.a.s.CompositeSessionAuthenticationStrategy:79 - Preparing session with CsrfAuthenticationStrategy (2/2)
20220513 14:26:58 DEBUG o.s.s.w.c.CsrfAuthenticationStrategy:63 - Replaced CSRF Token
20220513 14:26:58 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter:318 - Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=Surkov, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[message_v, user_c]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=192.168.11.254, SessionId=F2238B1D17F13C607CC13DD00AD262DF], Granted Authorities=[message_v, user_c]]
20220513 14:26:58 TRACE o.s.b.f.s.DefaultListableBeanFactory:264 - Returning cached instance of singleton bean 'delegatingApplicationListener'
20220513 14:26:58 DEBUG o.s.s.web.DefaultRedirectStrategy:57 - Redirecting to https://192.168.25.55/auth/error?client_id=public-client&redirect_uri=https%3A%2F%2F192.168.25.55&response_type=code&scope=openid&state=0df5af37f09c46a7ae2f7cedca3991b4&code_challenge=LDBXhJi-uyu8rWgbneAqN19RQf7f5LJSwgJU3SCnrqg&code_challenge_method=S256&response_mode=query
20220513 14:26:58 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository:361 - Stored SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=Surkov, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[message_v, user_c]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=192.168.11.254, SessionId=F2238B1D17F13C607CC13DD00AD262DF], Granted Authorities=[message_v, user_c]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@27cd0b2e]

在这里我们可以看到,Set SecurityContextHolder to UsernamePasswordAuthenticationTokenAuthenticated=true,但比它重定向到/error没有任何额外的信息错误。
顺便说一句,我使用SameSate=None cookie和https在测试环境。
JSESSIONID=4E559F0CCBE6258B590DD4809ECB3D3F; Path=/auth; HttpOnly; SameSite=None; Secure

@Bean
public RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {

        log.warn("clientRedirectUrl1 "+clientRedirectUrl1);
        log.warn("issuer "+issuer);

        HashSet<String> redirects = new HashSet<>(Arrays.asList(clientRedirectUrl1, clientRedirectUrl2, clientRedirectUrl3));

        
        RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId("public-client")
                .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri(clientRedirectUrl1)
                .redirectUri(clientRedirectUrl2)
                .redirectUri(clientRedirectUrl3)
                .postLogoutRedirectUri(clientRedirectUrl1)
                .scope(OidcScopes.OPENID)
                .scope("message.read")
                .scope("message.write")
                .tokenSettings(TokenSettings.builder().accessTokenTimeToLive(Duration.ofHours(8)).build())
                .clientSettings(ClientSettings.builder().requireAuthorizationConsent(false).requireProofKey(true).build())
                .build();

        jdbcTemplate.update("delete from oauth2_authorization;");
        jdbcTemplate.update("delete from oauth2_authorization_consent;");
        jdbcTemplate.update("delete from oauth2_registered_client;");

        // Save registered client in db as if in-memory
        JdbcRegisteredClientRepository registeredClientRepository = new JdbcRegisteredClientRepository(jdbcTemplate);
        registeredClientRepository.save(confidentialClient);
        registeredClientRepository.save(publicClient);

        return registeredClientRepository;
    }
bis0qfac

bis0qfac1#

我终于得到了这个工作,这是k8s Ingress配置问题。它通过上下文重定向请求。从外面的世界看,它似乎是80。顺便说一句,为了在docker compose上完成所有这些工作,我不得不在https上运行auth服务器。并将可信证书添加到所有资源服务器。无论如何,我都会在那里发布我的RegisteredClientRepository

相关问题