Spring Boot OIDC回调“错误的身份验证响应，错误=access_denied”

hfsqlsce 于 2023-03-23 发布在 Spring

关注(0)|答案(1)|浏览(206)

我们有一个使用pac 4j应用程序的spring-boot，它使用CAS凭据与Orcid集成。我们有两个OidcClients - CAS和一个用于ORCID的基本OidcClient的多配置文件配置。问题：有没有类似于Oauth示例的方法来配置Oidc回调？OathConfiguration在用户拒绝auth时有setHasBeenCancelledFactory，我试图找出如何使用OIDC客户端/配置实现它。
PAC4JConfig.java .

public Config config() {
    final OidcConfiguration oidcConfiguration = new OidcConfiguration();
    oidcConfiguration.setClientId(orcidClientId);
    oidcConfiguration.setSecret(orcidClientSecret);
    oidcConfiguration.setUseNonce(true);
    oidcConfiguration.setDiscoveryURI(orcidDiscoveryUrl);
    oidcConfiguration.setScope(orcidClientScope);
             oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST);

    final OidcClient oidcClient = new OidcClient(oidcConfiguration);
    oidcClient.setName(Constants.ORCID_CLIENT_NAME);
    oidcClient.setCallbackUrl(callbackUrl);
    oidcClient.setSaveProfileInSession(true);
    oidcClient.setMultiProfile(true);
    final CasConfiguration configuration = new CasConfiguration(casLoginUrl);
    final CasClient casClient = new CasClient(configuration);
    casClient.setName(Constants.CAS_CLIENT_NAME);
    casClient.setMultiProfile(true);
    final Clients clients = new Clients(callbackUrl, oidcClient, casClient);
    return new Config(clients);
}

OrcidConnectController.java

@RequestMapping("/orcid/forceLogin")
    @ResponseBody
    public void forceLogin() {
        try {
            final String name = webContext.getRequestParameter(Pac4jConstants.DEFAULT_CLIENT_NAME_PARAMETER)
                    .map(String::valueOf).orElse(""); 
            final Client client = config.getClients().findClient(name).get();
            JEESessionStore.INSTANCE.set(webContext, Pac4jConstants.REQUESTED_URL, "/orcid/connect");
            JEEHttpActionAdapter.INSTANCE.adapt(client.getRedirectionAction(new CallContext(webContext, JEESessionStore.INSTANCE)).get(), webContext);
        } catch (final HttpAction e) {
            log.error("Forcelogin error :{}", e.getMessage());
        }
    }

spring-boot

来源：https://stackoverflow.com/questions/75794298/oidc-callback-bad-authentication-response-error-access-denied

1条答案

按热度按时间

f0brbegy1#

您是对的，HasBeenCancelledFactory概念仅适用于OAuth，不适用于OIDC。
也就是说，您收到的错误消息来自OidcExtractor：

if (response instanceof AuthenticationErrorResponse) {
    logger.error("Bad authentication response, error={}",
                    ((AuthenticationErrorResponse) response).getErrorObject());
    return Optional.empty();
}

它返回一个空凭证，就像OAuth的HasBeenCancelledFactory：

final boolean hasBeenCancelled = (Boolean) configuration.getHasBeenCancelledFactory().apply(context);
// check if the authentication has been cancelled
if (hasBeenCancelled) {
    logger.debug("authentication has been cancelled by user");
    return Optional.empty();
}

我认为您需要在这里设置一个配置文件（可能是AnonymousProfile），当您没有通过Orcid OIDC客户端的profileFactoryWhenNotAuthenticated进行身份验证时。
参见：https://www.pac4j.org/5.7.x/docs/clients.html#8-silent-login

赞(0）回复(0）举报 2023-03-23

我来回答

Spring Boot OIDC回调“错误的身份验证响应，错误=access_denied”

1条答案

相关问题

热门标签

最新问答