未经授权来自授权类型URN的POST http://127.0.0.1:8081/postArticles:ietf:PARAMS:OAUTH:GRANT-TYPE:JWT-带有Spring安全的承载5 OAuth2

vc6uscn9  于 2022-10-08  发布在  其他
关注(0)|答案(1)|浏览(173)

最近,我想尝试一下Spring Security5 OAuth2的授权类型“urn:ietf:parms:oauth:grant-type:jwt-beeller”,但是遇到了一些错误,我不知道为什么。有谁能帮帮我吗?非常感谢!

我有3个projects:spring-security-oauth2-authorization_server(8080),-SECURITY-OAUT2-RESOURCE_SERVER(8081)、SPUNG-SECURITY-OAUT2-CLIENT(8082)。我的代码片段如下所示。

1.spring-security-oauth2-client
ArticlesController.java:

@GetMapping(value = "/postArticles")
    public String postArticles(
      @RegisteredOAuth2AuthorizedClient("articles-client-jwt-bearer") OAuth2AuthorizedClient authorizedClient
        ,HttpServletRequest request
        ,HttpServletResponse response
      ) 
    {    
        return webClient
          .post()
          .uri("http://127.0.0.1:8081/postArticles")
          .attributes(oauth2AuthorizedClient(authorizedClient))
          .bodyValue("new articles" + new Date())
          .retrieve()
          .bodyToMono(String.class)
          .block();

    }

WebClientConfig.java:

@Bean(name = "wc")
    WebClient webClient(
    OAuth2AuthorizedClientManager authorizedClientManager) {
        ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServletOAuth2AuthorizedClientExchangeFilterFunction(
                authorizedClientManager);
        return WebClient.builder().apply(oauth2Client.oauth2Configuration()).build();

    }
    @Bean
    OAuth2AuthorizedClientManager authorizedClientManager(ClientRegistrationRepository clientRegistrationRepository,
            OAuth2AuthorizedClientRepository authorizedClientRepository) {

        OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
                .authorizationCode()
                .refreshToken()
                .clientCredentials()
                .provider(new JwtBearerOAuth2AuthorizedClientProvider())
                .build();

        DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(
                clientRegistrationRepository, authorizedClientRepository);
        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

        return authorizedClientManager;
    }

SecurityConfig.java:

@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
//          .authorizeRequests(authorizeRequests ->
//            authorizeRequests.anyRequest().authenticated()
//          )
          .headers().frameOptions().sameOrigin() //for h2
          .and()
          .csrf().ignoringAntMatchers("/h2-console/**")
          .and()
          .oauth2Client(withDefaults())
          ;
        return http.build();
    }

应用程序-oauth2.properties:

spring.security.oauth2.client.registration.articles-client-jwt-bearer.provider: spring
spring.security.oauth2.client.registration.articles-client-jwt-bearer.client-id: articles-client
spring.security.oauth2.client.registration.articles-client-jwt-bearer.client-secret: secret
spring.security.oauth2.client.registration.articles-client-jwt-bearer.authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
spring.security.oauth2.client.registration.articles-client-jwt-bearer.scope: articles.read,articles.write
spring.security.oauth2.client.registration.articles-client-jwt-bearer.client-name: articles-client-jwt-bearer

spring.security.oauth2.client.provider.spring.issuer-uri: http://auth-server:8080

2.Spring-Security-OAuth2-AUTHORIZATION_SERVER

AuthorizationServerConfig.java:

@Configuration(proxyBeanMethods = false)
public class AuthorizationServerConfig {

    /**
     * A Spring Security filter chain for the Protocol Endpoints.
     * 
     * @param http
     * @return
     * @throws Exception
     */
    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http
                // Redirect to the login page when not authenticated from the
                // authorization endpoint
                .exceptionHandling((exceptions) -> exceptions
                        .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")))
                .oauth2ResourceServer().jwt()
                .and().and()

                ;
        return http.build();
    }

    /**
     * An instance of RegisteredClientRepository for managing clients. Registered
     * information.
     * 
     * @return
     */
    @Bean
    public RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
        RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId("articles-client")
                .clientSecret("{noop}secret")
//              .clientName("client1")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                .authorizationGrantType(AuthorizationGrantType.JWT_BEARER)
                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/articles-client-oidc")
                .redirectUri("http://127.0.0.1:8080/authorized")
                .scope(OidcScopes.OPENID)
                .scope(OidcScopes.PROFILE)
                .scope("articles.read")
                .scope("articles.write")
                .tokenSettings(TokenSettings.builder().accessTokenTimeToLive(Duration.ofDays(2))
                        .refreshTokenTimeToLive(Duration.ofDays(3)).build())
                .clientSettings(ClientSettings.builder().requireAuthorizationConsent(false) 
                        .build())
                .build();

        return new InMemoryRegisteredClientRepository(registeredClient); 
    }

    @Bean
    public OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
            RegisteredClientRepository registeredClientRepository) {
        return new InMemoryOAuth2AuthorizationService();
    }

    @Bean
    public OAuth2AuthorizationConsentService authorizationConsentService(JdbcOperations jdbcOperations,
            RegisteredClientRepository registeredClientRepository) {
        return new InMemoryOAuth2AuthorizationConsentService();
    }

    /**
     * An instance of com.nimbusds.jose.jwk.source.JWKSource for signing access
     * tokens.
     * 
     * @return
     */
    @Bean
    public JWKSource<SecurityContext> jwkSource() {
        KeyPair keyPair = generateRsaKey();
        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
        RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
        RSAKey rsaKey = new RSAKey.Builder(publicKey).privateKey(privateKey).keyID(UUID.randomUUID().toString())
                .build();
        JWKSet jwkSet = new JWKSet(rsaKey);
        return new ImmutableJWKSet<>(jwkSet);
    }

    /**
     * An instance of java.security.KeyPair with keys generated on startup used to
     * create the JWKSource above.
     * 
     * @return
     */
    private static KeyPair generateRsaKey() {
        KeyPair keyPair;
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            keyPair = keyPairGenerator.generateKeyPair();
        } catch (Exception ex) {
            throw new IllegalStateException(ex);
        }
        return keyPair;
    }

    /**
     * An instance of ProviderSettings to configure Spring Authorization Server.
     * 
     * @return
     */
    @Bean
    public ProviderSettings providerSettings() {
        return ProviderSettings.builder().issuer("http://auth-server:8080").build();
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
    }

}

3.Spring-SECURITY-OAuth2-SOURCE_SERVER

ResourceServerConfig.java

@Bean
    @Order(2)
    public SecurityFilterChain resourceServerFilterChain(HttpSecurity http) throws Exception {
        http  
            .authorizeHttpRequests(authorize -> authorize
                .mvcMatchers(HttpMethod.POST, "/postArticles").hasAuthority("SCOPE_articles.write")
                .anyRequest().authenticated()
            )
            .csrf().disable() 
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
            ;
        return http.build();
    }

ResourceController.java

@ResponseStatus(HttpStatus.CREATED)
    @PostMapping("/postArticles")
    public String postArticles(@RequestBody String newArticle) {
        return newArticle;
    }

应用程序-oauth2.properties:

spring.security.oauth2.resourceserver.jwt.issuer-uri: http://auth-server:8080
j8ag8udp

j8ag8udp1#

JWT承载授权尚未在Spring授权服务器中实现。请参见#546和功能列表。

相关问题