Spring OAuth2-没有客户端身份验证。尝试添加适当的身份验证过滤器 [英] Spring OAuth2 - There is no client authentication. Try adding an appropriate authentication filter

问题描述

我们有一个使用 spring-security-oauth2：1.0 的应用程序。我试图将其更改为较新的版本， spring-security-oauth2：2.0.7.RELEASE 。删除了某些类，更改了某些程序包结构，我设法整理了所有这些内容，并且能够毫无问题地启动服务器。但是我在这里面临一个奇怪的问题。

We have an application which is using spring-security-oauth2:1.0. I was trying to change it to a newer version, spring-security-oauth2:2.0.7.RELEASE. Some classes were removed, some package structure is changed, I managed to sort out all those things and I was able to start the server without any issue. But I am facing a strange issue here.

使用 OAuth2-1.0版本，当用户登录时，我们使用对 / oauth / token 进行 GET 请求，例如：

With OAuth2 - 1.0 version, when the user logs in we used to do a GET request on /oauth/token, For example :

http：// localhost：8080 / echo / oauth / token？grant_type = password& client_id = ws& client_secret = secret& scope = read，write&用户名=john@abc.com& password = password123

它曾经可以正常工作。

当我尝试相同的操作时，首先由于 GET 请求= https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint。 java rel = noreferrer> TokenEndPoint.java

When I try the same thing, First of all I am not able to make a GET request because of the logic in TokenEndPoint.java

private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST));

@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
    if (!allowedRequestMethods.contains(HttpMethod.GET)) {
        throw new HttpRequestMethodNotSupportedException("GET");
    }
    return postAccessToken(principal, parameters);
}

我试图发布 POST 请求与上述URL相同，但出现错误消息 InsufficientAuthenticationException

I have tried to make a POST request same as above URL, but I get InsufficientAuthenticationException with the error message

没有客户端身份验证。尝试添加适当的身份验证过滤器

There is no client authentication. Try adding an appropriate authentication filter

这是因为以下 POST 请求 TokenEndpoint.java 中的控制器。调试时，我看到 principal 为空。

This is because of the following POST request controller in TokenEndpoint.java. When I debug, I see that principal is null.

@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
    public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
    Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
        //principal is null here
        if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException(
                    "There is no client authentication. Try adding an appropriate authentication filter.");
        }
     .............
 }

我有一个身份验证过滤器，当我使用版本1.0 时，它可以很好地工作。这是我的配置的相关参数：

I have an authentication filter and it worked well when I used version 1.0. This is the relevant prats of my config:

    <authentication-manager xmlns="http://www.springframework.org/schema/security">
        <authentication-provider user-service-ref="userDetailsService"/>
    </authentication-manager>

   <bean id="userDetailsService" class="com.hcl.nc.service.UserDetailsService">
        <constructor-arg><ref bean="sessionFactory" /></constructor-arg>
    </bean>

我一直认为请求将由 authentication-provider进行身份验证并转到 token-endpoint ，但这似乎不是正确的流程。在使用版本2.0.7 调试应用程序后，现在我真的怀疑我对流程的理解。

I always thought that the request will be authenticated by authentication-provider and goes to token-endpoint but that does not seem to be the correct flow. After debugging the application with version 2.0.7, now I really doubt my understanding about the flow.

有人可以解释一下为什么它在以前的版本中有效，为什么现在不能正常工作吗？

为了获得OAuth令牌？

注意：我已经检查了以下问题：此处，此处，此处。但是我找不到正确的解决方案。

NOTE: I have already checked these questions : here, here, here. But I was not able to find the correct solution.

推荐答案

我不知道以前的版本，但是我知道一点大约是2.0.7。

I don't know the previous version, but I know a bit about 2.0.7.

我怀疑您的问题是您的TokenEndpoint安全性试图针对您的用户验证您的客户端 >服务。

I suspect your problem is that your TokenEndpoint security tries to authenticate your clients against your user service.

TokenEndpoint受 BasicAuthenticationFilter 保护。默认情况下，此过滤器将使用 AuthenticationManager 实例，该实例本身包含 AuthenticationProvider 本身，该实例本身取决于 UserDetailsS​​ervice 。
诀窍在于， UserDetailsS​​ervice 的特定实例必须基于 client ，而不是基于 user ：为什么有一个 ClientDetailsUserDetailsS​​ervice ，它将 ClientDetailsS​​ervice 修改为 UserDetailsS​​ervice

The TokenEndpoint is protected by a BasicAuthenticationFilter. By default this filter would use an AuthenticationManager instance, which itself holds an AuthenticationProvider, which itself depends on an instance of UserDetailsService. The trick is that this particular instance of UserDetailsService must be client based, not user based : that's why there is a ClientDetailsUserDetailsService, which adapts ClientDetailsService to UserDetailsService.

通常，当您使用框架的配置类 AuthorizationServerConfigurerAdapter ， @EnableAuthorizationServer 等。

Normally all this stuff is already done by default when you use the framework's configuration classes AuthorizationServerConfigurerAdapter, @EnableAuthorizationServer, etc..

这篇关于Spring OAuth2-没有客户端身份验证。尝试添加适当的身份验证过滤器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！