假设Oauth2客户端令牌异常

问题描述 投票:0回答:1

我试图假装客户工作我的Oauth2 SSO

我已经定义了一个bean拦截器,如下所示

@Bean
        @LoadBalanced
        RequestInterceptor oauthFeignClient(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
            return new OAuth2FeignRequestInterceptor(oauth2ClientContext, details);
        }

但是我面临这个例外:

feign.FeignException:状态401读取AppClientFeign#getApps(); content:{“error”:“invalid_token”,“error_description”:“9d8eb02c-7005-487e-b28f-19417e5fea51”}

我不知道为什么我会这样

这是我的Auth服务器

 @Configuration
        static class MvcConfig extends WebMvcConfigurerAdapter {

            @Override
            public void addViewControllers(ViewControllerRegistry registry) {
                registry.addViewController("login").setViewName("login");
            registry.addViewController("/oauth/confirm_access").setViewName("authorize");
            registry.addViewController("/").setViewName("index");
            }
        }

        @Configuration
        static class LoginConfig extends WebSecurityConfigurerAdapter {


            @Bean
            public PasswordEncoder passwordEncoder() {
                return new BCryptPasswordEncoder();
            }
            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                    .formLogin().loginPage("/login").permitAll()
                        .and().logout().clearAuthentication(true).invalidateHttpSession(true).logoutUrl("/exit").logoutSuccessUrl("http://localhost:9999/client").permitAll()
                    .and()
                        .authorizeRequests()
                        .antMatchers("/","/exit","/graphics/**", "/login", "/oauth/authorize", "/oauth/confirm_access").permitAll()
                    .and()
                        .authorizeRequests()
                        .anyRequest().authenticated()
                        .and().httpBasic().disable().csrf().disable();
            }

            @Autowired
            MDSUserDetailService mdsUserServiceDetail;
            @Override
            protected void configure(AuthenticationManagerBuilder auth) throws Exception {
               auth.userDetailsService(mdsUserServiceDetail).passwordEncoder(passwordEncoder());
            }


        }

和我的yaml配置

security:
    oauth2:
      client:
        client-id: xxx
        client-secret: xxx
        scope: read, write
        auto-approve-scopes: .*
      authorization:
        check-token-access: permitAll()

这是我的客户

@SpringBootApplication
@EnableOAuth2Sso
@EnableEurekaClient
@EnableDiscoveryClient
@EnableFeignClients
@EnableWebSecurity
public class ClientApplication extends WebSecurityConfigurerAdapter{


    public static void main(String[] args) {
        SpringApplication.run(ClientApplication.class, args);
    }


        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .logout()
                    .logoutSuccessUrl("http://localhost:9999/uaa/exit");
            http.authorizeRequests().antMatchers("graphics/**").permitAll().
                    and().authorizeRequests().anyRequest().authenticated();
        }


        @Bean
        @LoadBalanced
        RequestInterceptor oauthFeignClient(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
            return new OAuth2FeignRequestInterceptor(oauth2ClientContext, details);
        }

    @Bean
    @LoadBalanced
    OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
        return new OAuth2RestTemplate(details, oauth2ClientContext);
    }

    @Profile("!cloud")
    @Bean
    RequestDumperFilter requestDumperFilter() {
        return new RequestDumperFilter();
    }

}

Feign客户端界面

@FeignClient("USERS-MANAGER")
public interface UserClientFeign {
      @GetMapping("/users/info")
      public User getUserDetails(@RequestParam("username") String username);
}

我客户的配置

security:
  basic:
    enabled: false
  oauth2:
    client:
      client-id: xxx
      client-secret: xxx
      access-token-uri: ${auth-server}/oauth/token
      user-authorization-uri: ${auth-server}/oauth/authorize
      scope: read, write
    resource:
      token-info-uri: ${auth-server}/oauth/check_token

最后我的资源

@SpringBootApplication
@EnableResourceServer
@EnableEurekaClient
@RestController
public class ResourceApplication extends ResourceServerConfigurerAdapter {



    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
                .antMatchers(HttpMethod.GET, "/users/**").access("#oauth2.hasScope('read')")
                .antMatchers(HttpMethod.POST, "/users/**").access("#oauth2.hasScope('write')");
    }

    public static void main(String[] args) {
        SpringApplication.run(ResourceApplication.class, args);
    }

    @Profile("!cloud")
    @Bean
    RequestDumperFilter requestDumperFilter() {
        return new RequestDumperFilter();
    }
}

配置世界

spring.application.name: USERS-MANAGER

server:
  port: 0

ribbon:
    eureka:
        enabled: true

eureka.client.service-url.defaultZone: http://localhost:8761/eureka/

security:
  oauth2:
    resource:
      token-info-uri:  http://localhost:9999/uaa/oauth/check_token
    client:
      client-id:  xxx
      client-secret:  xxx

浏览器中的例外

Thu Sep 13 14:19:52 BST 2018出现意外错误(type = Internal Server Error,status = 500)。状态401读取AppClientFeign#getApps(); content:{“error”:“invalid_token”,“error_description”:“9d8eb02c-7005-487e-b28f-19417e5fea51”}

java spring spring-security-oauth2 spring-cloud-feign
1个回答
1
投票

在没有任何详细描述的情况下找出为什么令牌无效是很棘手的。它可能是令牌过期太快(由于您的令牌TTL设置),或令牌的授权类型或令牌的范围与资源服务器所需的不同。

您可能希望在OAuth2AuthenticationProcessingFilter#doFilter()中的几个点添加断点,并查看从oauth2提供程序获得的值,并将其与客户端使用的令牌值进行比较。特别是看看authenticationManager.authenticate(authentication);周围的电话

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.