为什么我的令牌被拒绝?什么是资源ID? “无效令牌不包含资源ID(oauth2-resource)". [英] Why is my token being rejected? What is a resource ID? "Invalid token does not contain resource id (oauth2-resource)"
问题描述
我正在尝试为春季项目配置OAuth2.我正在使用共享的UAA(从Cloud Foundry实施oauth )实例我的工作场所提供了(因此,我不尝试创建授权服务器,并且授权服务器与资源服务器是分开的).前端是一个单页应用程序,它使用隐式授予直接从授权服务器获取令牌.我有SPA设置,它在每个Web API调用上将Authorization: Bearer <TOKEN>
标头添加到微服务.
I'm trying to configure OAuth2 for a spring project. I'm using a shared UAA (oauth implementation from cloud foundry) instance my work place provides (so I'm not trying to create an authorization server and the authorization server is separate from the resource server). The frontend is a single-page-application and it gets token directly from the authorization server using the implicit grant. I have the SPA setup where it adds the Authorization: Bearer <TOKEN>
header on each web API call to microservices.
我的问题现在是微服务.
My issue is now with the microservices.
我正在尝试使用此共享授权服务器对微服务进行身份验证.在这里,我可能会有一个误解,请确保我目前的理解是,这些微服务起着资源服务器的作用,因为它们托管SPA用来获取数据的端点.
I'm trying to use this shared authorization server to authenticate the microservices. I might have a misunderstanding here, buy my current understanding is that these microservices play the role of the resource server because they host the endpoints the SPA uses to get data.
所以我试图像这样配置微服务:
So I tried to configure a microservice like so:
@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**").authenticated();
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setVerifierKey("-----BEGIN PUBLIC KEY-----<key omitted>-----END PUBLIC KEY-----");
return converter;
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
}
}
现在,每当我用Authorization: Bearer <TOKEN>
击中/api/**
时,都会出现此错误的403
:
Now whenever I hit a /api/**
with the Authorization: Bearer <TOKEN>
, I get a 403
with this error:
{
"error": "access_denied",
"error_description": "Invalid token does not contain resource id (oauth2-resource)"
}
所以这是我的问题:
- 如何配置这些微服务以验证令牌并插入
Principal
??我目前在SPA拥有并发送令牌的位置对其进行了设置,并且还具有用于验证令牌签名的公共密钥.我还使用了 jwt.io 来测试令牌,并说签名已验证". - 什么是资源ID?为什么我需要它,为什么它会导致上述错误?那是Spring唯一的东西吗?
- How do I configure these microservices to validate the token and insert a
Principal
in controller methods? I currently have it setup where the SPA has and sends the token and I also have the public key used to verify the signature of the token. I have also used jwt.io to test the token and it says "Signature Verified". - What is a resource id? Why do I need it and why does it cause the error above? Is that a Spring only thing??
So here are my questions:
谢谢!
推荐答案
Spring OAuth expects "aud" claim in JWT token. That claim's value should match to the resourceId
value you specify your Spring app (if not specified it defaults to "oauth2-resource").
要解决您的问题,您需要:
To fix your issue you need to:
1)登录到共享的UAA,并确保它确实包含"aud"声明.
1) Log into your shared UAA and make sure it does include "aud" claim.
2)将该"aud"声明的值更改为"oauth2-resource",或者最好在您的Spring应用程序更新resourceId
中将其更改为该声明的值,如下所示:
2) Change the value of that "aud" claim to be "oauth2-resource" or preferably in your Spring app update resourceId
to that claim's value like this:
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
resources.resourceId(value from the aud claim you got from UAA server);
}
这篇关于为什么我的令牌被拒绝?什么是资源ID? “无效令牌不包含资源ID(oauth2-resource)".的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!