問題描述
我正在嘗試為 spring 項目配置 OAuth2.我正在使用共享 UAA(來自云代工廠的 oauth 實現)實例我的工作場所提供(所以我沒有嘗試創建授權服務器,并且授權服務器與資源服務器分開).前端是一個單頁應用程序,它使用隱式授權直接從授權服務器獲取令牌.我有 SPA 設置,它在每個對微服務的 Web API 調用上添加 Authorization: Bearer <TOKEN> 標頭.
I'm trying to configure OAuth2 for a spring project. I'm using a shared UAA (oauth implementation from cloud foundry) instance my work place provides (so I'm not trying to create an authorization server and the authorization server is separate from the resource server). The frontend is a single-page-application and it gets token directly from the authorization server using the implicit grant. I have the SPA setup where it adds the Authorization: Bearer <TOKEN> header on each web API call to microservices.
我現在的問題是微服務.
My issue is now with the microservices.
我正在嘗試使用此共享授權服務器來驗證微服務.這里我可能有一個誤解,買我目前的理解是這些微服務扮演資源服務器的角色,因為它們托管 SPA 用來獲取數據的端點.
I'm trying to use this shared authorization server to authenticate the microservices. I might have a misunderstanding here, buy my current understanding is that these microservices play the role of the resource server because they host the endpoints the SPA uses to get data.
所以我嘗試像這樣配置一個微服務:
So I tried to configure a microservice like so:
@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**").authenticated();
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setVerifierKey("-----BEGIN PUBLIC KEY-----<key omitted>-----END PUBLIC KEY-----");
return converter;
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
}
}
現在,每當我使用 Authorization: Bearer <TOKEN> 訪問 /api/** 時,我都會得到一個 403錯誤:
Now whenever I hit a /api/** with the Authorization: Bearer <TOKEN>, I get a 403 with this error:
{
"error": "access_denied",
"error_description": "Invalid token does not contain resource id (oauth2-resource)"
}
<小時>
所以這是我的問題:
- 如何配置這些微服務以驗證令牌并插入
Principal在控制器方法中? 我目前已經在 SPA 擁有并發送令牌的地方設置了它,并且我還有用于驗證令牌的簽名.我還使用 jwt.io 來測試令牌并顯示簽名已驗證". - 什么是資源 ID?為什么我需要它,為什么它會導致上述錯誤?那只是春天的事嗎??
- How do I configure these microservices to validate the token and insert a
Principalin controller methods? I currently have it setup where the SPA has and sends the token and I also have the public key used to verify the signature of the token. I have also used jwt.io to test the token and it says "Signature Verified". - What is a resource id? Why do I need it and why does it cause the error above? Is that a Spring only thing??
So here are my questions:
謝謝!
推薦答案
Spring OAuth 需要aud" 聲明.該聲明的值應與您指定 Spring 應用程序的 resourceId 值匹配(如果未指定,則默認為oauth2-resource").
Spring OAuth expects "aud" claim in JWT token. That claim's value should match to the resourceId value you specify your Spring app (if not specified it defaults to "oauth2-resource").
要解決您的問題,您需要:
To fix your issue you need to:
1) 登錄您的共享 UAA 并確保其中包含aud"聲明.
1) Log into your shared UAA and make sure it does include "aud" claim.
2) 將該aud"聲明的值更改為oauth2-resource",或者最好在您的 Spring 應用程序中將 resourceId 更改為該聲明的值,如下所示:
2) Change the value of that "aud" claim to be "oauth2-resource" or preferably in your Spring app update resourceId to that claim's value like this:
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
resources.resourceId(value from the aud claim you got from UAA server);
}
這篇關于為什么我的令牌被拒絕?什么是資源 ID?“無效令牌不包含資源 id (oauth2-resource)"的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!