我试图假装客户工作我的Oauth2 SSO
我已经定义了一个bean拦截器,如下所示
@Bean
@LoadBalanced
RequestInterceptor oauthFeignClient(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
return new OAuth2FeignRequestInterceptor(oauth2ClientContext, details);
}
但是我面临这个例外:
feign.FeignException:状态401读取AppClientFeign#getApps(); content:{“error”:“invalid_token”,“error_description”:“9d8eb02c-7005-487e-b28f-19417e5fea51”}
我不知道为什么我会这样
这是我的Auth服务器
@Configuration
static class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("login").setViewName("login");
registry.addViewController("/oauth/confirm_access").setViewName("authorize");
registry.addViewController("/").setViewName("index");
}
}
@Configuration
static class LoginConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login").permitAll()
.and().logout().clearAuthentication(true).invalidateHttpSession(true).logoutUrl("/exit").logoutSuccessUrl("http://localhost:9999/client").permitAll()
.and()
.authorizeRequests()
.antMatchers("/","/exit","/graphics/**", "/login", "/oauth/authorize", "/oauth/confirm_access").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic().disable().csrf().disable();
}
@Autowired
MDSUserDetailService mdsUserServiceDetail;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(mdsUserServiceDetail).passwordEncoder(passwordEncoder());
}
}
和我的yaml配置
security:
oauth2:
client:
client-id: xxx
client-secret: xxx
scope: read, write
auto-approve-scopes: .*
authorization:
check-token-access: permitAll()
这是我的客户
@SpringBootApplication
@EnableOAuth2Sso
@EnableEurekaClient
@EnableDiscoveryClient
@EnableFeignClients
@EnableWebSecurity
public class ClientApplication extends WebSecurityConfigurerAdapter{
public static void main(String[] args) {
SpringApplication.run(ClientApplication.class, args);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.logout()
.logoutSuccessUrl("http://localhost:9999/uaa/exit");
http.authorizeRequests().antMatchers("graphics/**").permitAll().
and().authorizeRequests().anyRequest().authenticated();
}
@Bean
@LoadBalanced
RequestInterceptor oauthFeignClient(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
return new OAuth2FeignRequestInterceptor(oauth2ClientContext, details);
}
@Bean
@LoadBalanced
OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
return new OAuth2RestTemplate(details, oauth2ClientContext);
}
@Profile("!cloud")
@Bean
RequestDumperFilter requestDumperFilter() {
return new RequestDumperFilter();
}
}
Feign客户端界面
@FeignClient("USERS-MANAGER")
public interface UserClientFeign {
@GetMapping("/users/info")
public User getUserDetails(@RequestParam("username") String username);
}
我客户的配置
security:
basic:
enabled: false
oauth2:
client:
client-id: xxx
client-secret: xxx
access-token-uri: ${auth-server}/oauth/token
user-authorization-uri: ${auth-server}/oauth/authorize
scope: read, write
resource:
token-info-uri: ${auth-server}/oauth/check_token
最后我的资源
@SpringBootApplication
@EnableResourceServer
@EnableEurekaClient
@RestController
public class ResourceApplication extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.antMatchers(HttpMethod.GET, "/users/**").access("#oauth2.hasScope('read')")
.antMatchers(HttpMethod.POST, "/users/**").access("#oauth2.hasScope('write')");
}
public static void main(String[] args) {
SpringApplication.run(ResourceApplication.class, args);
}
@Profile("!cloud")
@Bean
RequestDumperFilter requestDumperFilter() {
return new RequestDumperFilter();
}
}
配置世界
spring.application.name: USERS-MANAGER
server:
port: 0
ribbon:
eureka:
enabled: true
eureka.client.service-url.defaultZone: http://localhost:8761/eureka/
security:
oauth2:
resource:
token-info-uri: http://localhost:9999/uaa/oauth/check_token
client:
client-id: xxx
client-secret: xxx
浏览器中的例外
Thu Sep 13 14:19:52 BST 2018出现意外错误(type = Internal Server Error,status = 500)。状态401读取AppClientFeign#getApps(); content:{“error”:“invalid_token”,“error_description”:“9d8eb02c-7005-487e-b28f-19417e5fea51”}
在没有任何详细描述的情况下找出为什么令牌无效是很棘手的。它可能是令牌过期太快(由于您的令牌TTL设置),或令牌的授权类型或令牌的范围与资源服务器所需的不同。
您可能希望在OAuth2AuthenticationProcessingFilter#doFilter()
中的几个点添加断点,并查看从oauth2提供程序获得的值,并将其与客户端使用的令牌值进行比较。特别是看看authenticationManager.authenticate(authentication);
周围的电话