为什么我的令牌被拒绝?什么是资源 ID?“无效的令牌不包含资源 ID (oauth2-resource)”

我正在尝试为春季项目配置OAuth2。我使用的是工作场所提供的共享UAA(来自云铸造厂的oauth实现)实例(所以我没有尝试创建授权服务器,并且授权服务器与资源服务器是分开的)。前端是一个单页应用程序,它使用隐式授权直接从授权服务器获取令牌。我有SPA设置,它将每个Web API调用的标头添加到微服务。Authorization: Bearer <TOKEN>

我的问题现在与微服务有关。

我正在尝试使用此共享授权服务器对微服务进行身份验证。我可能在这里有一个误解,购买我目前的理解是,这些微服务扮演资源服务器的角色,因为它们托管SPA用于获取数据的端点。

所以我尝试像这样配置微服务:

@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
        .authorizeRequests()
        .antMatchers("/api/**").authenticated();
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setVerifierKey("-----BEGIN PUBLIC KEY-----<key omitted>-----END PUBLIC KEY-----");
        return converter;
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }


    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
         resources.tokenServices(tokenServices());
    }
}

现在,每当我用 ,击中 a 时,我都会得到一个,并显示此错误:/api/**Authorization: Bearer <TOKEN>403

{
    "error": "access_denied",
    "error_description": "Invalid token does not contain resource id (oauth2-resource)"
}

所以这是我的问题:

  • 如何配置这些微服务以验证令牌并在控制器方法中插入主体我目前已在SPA具有并发送令牌的位置进行了设置,并且我还具有用于验证令牌签名的公钥。我还使用 jwt.io 来测试令牌,它显示“签名已验证”。
  • 什么是资源 ID?为什么我需要它,为什么它会导致上述错误?那是春天唯一的事情吗??

谢谢!


答案 1

Spring OAuth期望在JWT令牌中提出“aud”声明。该声明的值应与你指定的 Spring 应用的值匹配(如果未指定,则默认为“oauth2-resource”)。resourceId

要解决您的问题,您需要:

1)登录您共享的UAA,并确保它确实包含“aud”声明。

2)将该“aud”声明的值更改为“oauth2-resource”,或者最好在Spring应用程序更新中更改为该声明的值,如下所示:resourceId

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
         resources.tokenServices(tokenServices());
         resources.resourceId(value from the aud claim you got from UAA server);
    }

答案 2

我添加了一个类似的问题。在我的情况下,我使用了jdbc身份验证,我的授权服务器和资源服务器是两个独立的API。

  • 身份验证服务器

       @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
    oauthServer.tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()")
                .passwordEncoder(oauthClientPasswordEncoder);
    

    }

    /**
    * Define the client details service. The client may be define either as in memory or in database.
     * Here client with be fetch from the specify database
      */
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
       clients.jdbc(dataSource);
    }
    
    /**
    * Define the authorization by providing authentificationManager
    * And the token enhancement
     */
     @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
    endpoints.tokenStore(tokenStore())
                .tokenEnhancer(getTokenEnhancer())
                .authenticationManager(authenticationManager).userDetailsService(userDetailsService);
     }
    
  • 资源服务器

    public class OAuth2ResourceServerConfig extends 
        ResourceServerConfigurerAdapter {
    
        private TokenExtractor tokenExtractor = new BearerTokenExtractor();
    
        @Autowired
        private DataSource dataSource;
    
        @Bean
        public TokenStore tokenStore() {
          return new JdbcTokenStore(dataSource);
        }
    
         @Override
         public void configure(HttpSecurity http) throws Exception {
               http.addFilterAfter(new OncePerRequestFilter() {
               @Override
               protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                FilterChain filterChain) throws ServletException, IOException {
            // We don't want to allow access to a resource with no token so clear
            // the security context in case it is actually an OAuth2Authentication
            if (tokenExtractor.extract(request) == null) {
                SecurityContextHolder.clearContext();
            }
            filterChain.doFilter(request, response);
        }
    }, AbstractPreAuthenticatedProcessingFilter.class);
    http.csrf().disable();
    http.authorizeRequests().anyRequest().authenticated();
     }
    
      @Bean
      public AccessTokenConverter accessTokenConverter() {
         return new DefaultAccessTokenConverter();
      }
    
      @Bean
      public RemoteTokenServices remoteTokenServices(final @Value("${auth.server.url}") String checkTokenUrl,
        final @Value("${auth.resource.server.clientId}") String clientId,
        final @Value("${auth.resource.server.clientsecret}") String clientSecret) {
    
           final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
           remoteTokenServices.setCheckTokenEndpointUrl(checkTokenUrl);
           remoteTokenServices.setClientId(clientId);
           remoteTokenServices.setClientSecret(clientSecret);
          remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
    return remoteTokenServices;
       }
    

有了这个配置,我得到了

    {
       "error": "access_denied",
       "error_description": "Invalid token does not contain resource id 
       (xxxxx)"
     }

为了解决这个问题,我不得不添加

    private String resourceIds= "xxxxx". !! maked sure that this resourceids is store in oauth_client_details for the clientid I used to get the token
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
          resources.resourceId(resourceIds).tokenStore(tokenStore());
      }