OAuth2 - 检索TOKEN时OPTIONS请求的状态401 [英] OAuth2 - Status 401 on OPTIONS request while retrieving TOKEN
问题描述
我们的堆栈使用Backbone作为我们的客户端应用程序,使用Spring Boot作为RESTful API。
Our stack uses Backbone as our client-side app and Spring Boot as a RESTful API.
我们试图使用OAuth2和密码。
We're trying to make basic authentication using OAuth2 with user providing username and password.
我们使用Spring Security进行身份验证,使用jQuery $ .ajax方法进行请求。然而,我们得到的反应是401(未授权)状态在prelight OPTIONS请求,我们甚至可以POST标题与我们的秘密授权。
然而,我们可以POST或GET任何其他资源没有任何问题。
We use Spring Security for authentication and jQuery $.ajax method for making requests. However the response we get is 401(unauthorized) status on preflight OPTIONS request before we can even POST header with our secret to authorize. However we can POST or GET any other resource without any problems. Server response for OPTIONS request is 200(ok) and then it follows up with POST request.
因此,为什么来自/ oauth / token的OPTIONS请求具有401状态即使它不应该?它不会让我们授权自己,因为它陷入了OPTIONS请求,我们不能添加授权头。
So why is that an OPTIONS request from /oauth/token responses with 401 status even when it shouldn't? It won't let us authorize ourselves because it get's stuck at OPTIONS request in which we can't add authorization header.
这是我们如何处理前端请求:
This is how we handle requests on front-end:
$.ajax({
url: "http://localhost:8080/oauth/token",
type: "POST",
beforeSend: function(xhr) {
xhr.setRequestHeader("Authorization", "Basic Y2xpZW50YXBwOjEyMzQ1Ng==");
},
data: {
password: "qwerty",
username: "jkowalski",
grant_type: "password"
}
});
这是我们的OAuth2配置:
This is our OAuth2 config:
@Configuration
public class OAuth2ServerConfiguration {
private static final String RESOURCE_ID = "restservice";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
[...]
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.authorizeRequests()
.anyRequest().permitAll();
}
}
[...]
@Configuration
@EnableAuthorizationServer
protected static class OAuth2AuthorizationConfig extends
AuthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password", "refresh_token")
.authorities("USER","ADMIN")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("123456");
// @formatter:on
}
[...]
}
推荐答案
我可以从理论上回答你的问题:
I can just answer your questions in theory:
那么为什么来自/ oauth / token的OPTIONS请求具有401状态,即使它不应该?它不会让我们授权自己,因为它遇到了OPTIONS请求,我们无法添加授权头。
So why is that an OPTIONS request from /oauth/token responses with 401 status even when it shouldn't? It won't let us authorize ourselves because it get's stuck at OPTIONS request in which we can't add authorization header.
这是因为 AuthServer的默认配置仅允许令牌端点处的完全身份验证的请求。
This is because the default configuration of the AuthServer is to allow only a fully authenticated request at the token endpoint.
在您的资源服务器中,您允许所有请求发生,而不进行身份验证,使用: http.authorizeRequests()。anyRequest()。permitAll();
In your Resource server, you allow all requests to happen without authentication with this: http.authorizeRequests().anyRequest().permitAll();
我试图解决这种情况,例如这里,但我不能让我为我工作。
I tried to solve this circumstance like mentioned here, but I couldn't get that working for me.
为了完整性我也提到这里,必须添加 CorsFilter 添加正确的标题到OPTIONS预检请求。
Just for completeness I also mention here, that you have to add a CorsFilter to add the correct Headers to the OPTIONS preflight request.
我也问了一个非常类似的问题,所以也许如果我的答案,你是能够解决你的问题,以及与这些信息。
I also asked a very similar question, so maybe if mine gets answered, you are capable of solving your problem as well with these informations.
这篇关于OAuth2 - 检索TOKEN时OPTIONS请求的状态401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
