带有Client_Id&的OAuth2密码授予类型客户机密 [英] OAuth2 Password Grant Type with Client_Id & Client_Secret
问题描述
我正在开发一个应用程序,以通过Rest端点访问其自身的资源.
I am developing an app to access its own resources via Rest endpoints.
要求用户通过电子邮件/密码获取访问令牌.完成身份验证服务器配置后,我得到了以下观察结果:
Users are required to acquire access token via email/password. After completed Authentication server configuration, I had this observation:
使用:
curl client:secret@localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password
我得到正确的答复:
{"access_token":"7541a4f6-e841-41a0-8a54-abf8e0666ed1","token_type":"bearer","refresh_token":"d3fdd7e3-53eb-4e7b-aa45-b524a9e7b316","expires_in":43199,"scope":"openid"}
但是:
curl http://localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password -d client_id=client -d client_secret=secret
我遇到以下错误:
调试4123-[nio-9999-exec-7] o.s.s.w.a.ExceptionTranslationFilter :访问被拒绝(用户是匿名的);重定向到身份验证 入口点
DEBUG 4123 --- [nio-9999-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException:访问为 被拒绝 org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
看起来像client_id&作为参数发送时,无法识别client_secret.这是配置问题还是与我正在使用的OAuth2版本有关( spring-security-oauth2 , 2.0.5.RELEASE )
It looks like the client_id & client_secret are not being recognized when send as parameters. Is this a configuration issue or to do with the version of OAuth2 I am using (spring-security-oauth2, 2.0.5.RELEASE)
我在Internet上遇到的很多示例都建议一种方法应适用于OAuth2.
A lot of example I come across on the Internet suggest approach one should work with OAuth2.
谢谢:)
推荐答案
没有针对规范要求实施的针对授权服务器对客户端进行身份验证的方法.已经指定可以支持的两种方法是您在示例中使用的HTTP基本身份验证模式和HTTP POST参数模式.显然,Spring仅支持第一个,而文档似乎受以下位置的支持: http://projects.spring.io/spring-security-oauth/docs/oauth2.html
There's no method of authenticating the Client against the Authorization Server that is mandatory to implement by spec. Two methods that have been specified that MAY be supported are the HTTP Basic Authentication pattern and the HTTP POST parameter pattern that you've used in your examples. Apparently Spring supports only the first, which seems to be supported by the docs at: http://projects.spring.io/spring-security-oauth/docs/oauth2.html
这篇关于带有Client_Id&的OAuth2密码授予类型客户机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
