为什么Spring Security无法使用hasAuthority正确阅读我的Auth0 OAuth权限?

f8rj6qna  于 2023-10-15  发布在  Spring
关注(0)|答案(2)|浏览(163)

我有以下…

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.oauth2Login(AbstractHttpConfigurer::disable)
                .oauth2ResourceServer(AbstractHttpConfigurer::disable)
                .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests((authz) -> authz
                        .requestMatchers(
                                new AntPathRequestMatcher("/actuator/**")
                        ).hasAuthority("SCOPE_read:actuators")
                        .anyRequest().authenticated()
                );
        return http.build();
    }
    @Bean
    JwtDecoder jwtDecoder(OAuth2ResourceServerProperties properties, @Value("${auth0.audience}") String audience) {
        /*
         * By default, Spring Security does not validate the "aud" claim of the token,
         * to ensure that this token is
         * indeed intended for our app. Adding our own validator is easy to do:
         */

        String issuerUri = properties.getJwt().getIssuerUri();
        NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuerUri);

        OAuth2TokenValidator<Jwt> audienceValidator = AudienceValidator.of(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuerUri);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

        jwtDecoder.setJwtValidator(withAudience);

        return jwtDecoder;
    }

下面的配置…

auth0:
  audience: ...
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ...

我正在尝试使用curl http://localhost:8080/actuator-v -H“Authorization:Bearer...”和curl http://localhost:8080/actuator-v -H“授权:OAuth.”
我已经确认了访问令牌

{
  "iss": "...",
  "sub": "...",
  "aud": [
    "...",
    "..."
  ],
  "iat": ...,
  "exp": ...,
  "azp": "...",
  "scope": "openid profile email",
  "permissions": [
    "read:actuators"
  ]
}

aud和iss匹配,但当我去网站我得到一个403。如果我把它都做了,那么它就工作得很好。
我错过了什么?
我也试着补充了一下,但同样的问题...

.oauth2ResourceServer((oauth2) -> oauth2
                        .jwt((jwt) ->jwt.decoder(jwtDecoder()))
                )
olmpazwi

olmpazwi1#

缺少的Bean(仅用于Auth0)是

@Bean
    public JwtAuthenticationConverter jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        grantedAuthoritiesConverter.setAuthoritiesClaimName("permissions");

        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
        return jwtAuthenticationConverter;
    }

如果您的提供程序使用其他内容,则可以将权限提取到应用程序属性中,但对于auth0,它将始终是权限。
更多信息可以在Spring Security官方网站上找到。

whlutmcx

whlutmcx2#

您必须启用资源服务器配置,以便在构建安全上下文时使用访问令牌。
您还需要一个Converter<Jwt, ? extends AbstractAuthenticationToken>来将私有声明的内容转换为Spring权限。JwtAuthenticationConverter是这个接口的默认实现,并且在某种程度上是可配置的(如果你只想在根节点下直接使用一个声明,就可以工作,这似乎是你现在的情况)。只需要暴露一个具有重写配置的bean来读取permissions声明。
您可以在my tutorials中找到示例,所有示例都与Auth0(以及Keycloak和Amazon Cognito)一起使用。

相关问题