Spring Boot 由于缺少client_secret,Sping Boot 与Google的OAuth2身份验证失败

siotufzp  于 2023-04-20  发布在  Spring
关注(0)|答案(1)|浏览(130)

我试图在Sping Boot Angular应用程序中使用Google实现OAuth2身份验证,但我收到一个“invalid_request”错误,并显示消息“client_secret is missing”。我在application.yml文件中配置了client_id和client_secret,如下所示:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            clientId: <my-client-id>
            clientSecret: <my-client-secret>

然而,似乎在OAuth2授权请求中没有正确传递client_secret。我已经为Spring RestTemplate启用了调试日志记录,日志显示请求中缺少client_secret:

HTTP POST https://www.googleapis.com/oauth2/v4/token
Writing [{grant_type=[authorization_code], code=[4/0EWygzh84wyVNXT4HcB_OaRr465vKH-a8mnQW5AuqCFA9uRVkbkvEMmq3RpV-qVxl1h1xgg], redirect_uri=[http://localhost:8014/demo/login/oauth2/code/google], client_id=[<my-client-id>]}] as "application/x-www-form-urlencoded;charset=UTF-8"

我不知道是什么原因导致这个问题。任何帮助将不胜感激。谢谢!
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:144):
有这样一条线:

OAuth2AccessTokenResponse accessTokenResponse = getResponse(authorizationCodeAuthentication);

并且在authorizationCodeAuthentication中我有clientRegistration,它有客户端密钥!!!:

ClientRegistration{registrationId='google', clientId='<my-client-id>', clientSecret='<my-client-secret>', clientAuthenticationMethod=org.springframework.security.oauth2.core.ClientAuthenticationMethod@4fcef9d3, authorizationGrantType=org.springframework.security.oauth2.core.AuthorizationGrantType@5da5e9f3, redirectUri='{baseUrl}/{action}/oauth2/code/{registrationId}', scopes=[openid, profile, email], providerDetails=org.springframework.security.oauth2.client.registration.ClientRegistration$ProviderDetails@4ec90377, clientName='Google'}
soat7uwm

soat7uwm1#

遇到同样的问题,请确保您正在使用:
应用程序中的clientAuthenticationMethod: client_secret_post。yml
post在Spring Security 5.5中被弃用,转而支持client_secret_post
供参考:https://github.com/spring-projects/spring-security/issues/9220

相关问题