Spring Boot OIDC回调“错误的身份验证响应,错误=access_denied”

hfsqlsce  于 2023-03-23  发布在  Spring
关注(0)|答案(1)|浏览(205)

我们有一个使用pac 4j应用程序的spring-boot,它使用CAS凭据与Orcid集成。我们有两个OidcClients - CAS和一个用于ORCID的基本OidcClient的多配置文件配置。问题:有没有类似于Oauth示例的方法来配置Oidc回调?OathConfiguration在用户拒绝auth时有setHasBeenCancelledFactory,我试图找出如何使用OIDC客户端/配置实现它。
PAC4JConfig.java .

public Config config() {
    final OidcConfiguration oidcConfiguration = new OidcConfiguration();
    oidcConfiguration.setClientId(orcidClientId);
    oidcConfiguration.setSecret(orcidClientSecret);
    oidcConfiguration.setUseNonce(true);
    oidcConfiguration.setDiscoveryURI(orcidDiscoveryUrl);
    oidcConfiguration.setScope(orcidClientScope);
             oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST);

    final OidcClient oidcClient = new OidcClient(oidcConfiguration);
    oidcClient.setName(Constants.ORCID_CLIENT_NAME);
    oidcClient.setCallbackUrl(callbackUrl);
    oidcClient.setSaveProfileInSession(true);
    oidcClient.setMultiProfile(true);
    final CasConfiguration configuration = new CasConfiguration(casLoginUrl);
    final CasClient casClient = new CasClient(configuration);
    casClient.setName(Constants.CAS_CLIENT_NAME);
    casClient.setMultiProfile(true);
    final Clients clients = new Clients(callbackUrl, oidcClient, casClient);
    return new Config(clients);
}

OrcidConnectController.java

@RequestMapping("/orcid/forceLogin")
    @ResponseBody
    public void forceLogin() {
        try {
            final String name = webContext.getRequestParameter(Pac4jConstants.DEFAULT_CLIENT_NAME_PARAMETER)
                    .map(String::valueOf).orElse(""); 
            final Client client = config.getClients().findClient(name).get();
            JEESessionStore.INSTANCE.set(webContext, Pac4jConstants.REQUESTED_URL, "/orcid/connect");
            JEEHttpActionAdapter.INSTANCE.adapt(client.getRedirectionAction(new CallContext(webContext, JEESessionStore.INSTANCE)).get(), webContext);
        } catch (final HttpAction e) {
            log.error("Forcelogin error :{}", e.getMessage());
        }
    }
f0brbegy

f0brbegy1#

您是对的,HasBeenCancelledFactory概念仅适用于OAuth,不适用于OIDC。
也就是说,您收到的错误消息来自OidcExtractor

if (response instanceof AuthenticationErrorResponse) {
    logger.error("Bad authentication response, error={}",
                    ((AuthenticationErrorResponse) response).getErrorObject());
    return Optional.empty();
}

它返回一个空凭证,就像OAuth的HasBeenCancelledFactory

final boolean hasBeenCancelled = (Boolean) configuration.getHasBeenCancelledFactory().apply(context);
// check if the authentication has been cancelled
if (hasBeenCancelled) {
    logger.debug("authentication has been cancelled by user");
    return Optional.empty();
}

我认为您需要在这里设置一个配置文件(可能是AnonymousProfile),当您没有通过Orcid OIDC客户端的profileFactoryWhenNotAuthenticated进行身份验证时。
参见:https://www.pac4j.org/5.7.x/docs/clients.html#8-silent-login

相关问题