无法在同一应用程序中实现Stormpath表单登录/身份验证以及REST oAuth身份验证 [英] Having trouble implementing Stormpath form Login/Authentication alongside REST oAuth authentication in the same application

问题描述

我们正在将Stormpath与Java&还尝试将表单登录与REST API身份验证结合在同一应用程序上.

We're using stormpath with Java & also trying to combine form Login with REST API authentication on the same application.

我已经按照此处 https://docs的说明安装了stormpath servlet插件. stormpath.com/java/servlet-plugin/quickstart.html ...效果很好.

I've setup stormpath servlet plugin as described here https://docs.stormpath.com/java/servlet-plugin/quickstart.html... This works very fine.

现在，在同一应用程序上，我们已经使用API​​实现了我的StormPath OAuth身份验证，请参见此处 http://docs.stormpath.com/guides/api-key-management/

Now, on the same application, we have APIs where I've implemented oAuth authentication with stormpath see here http://docs.stormpath.com/guides/api-key-management/

第一个访问令牌的请求可以通过在请求标头中发送Basic Base64(keyId:keySecret)并在正文中发送grant_type = client_credentials来正常工作.访问令牌被很好地返回了.但是，尝试使用标头Bearer <the-obtained-access-token>对后续请求进行身份验证之前，甚至都无法访问该应用程序 返回以下json错误消息...

The first request for an access-token works fine by sending Basic Base64(keyId:keySecret) in the request header and grant_type = client_credentials in the body. Access tokens are being returned nicely. However trying to authenticate subsequent requests with the header Bearer <the-obtained-access-token> does not even hit the application before returning the following json error message...

{
    "error": "invalid_client",
    "error_description": "access_token is invalid."
}

这令人困惑，因为我已经在整个应用程序上设置了断点，而且我很确定在Stormpath触发并返回此错误之前，API请求不会在应用程序中的任何地方发生.而且，即使stormpath在进入REST接口之前以某种方式拦截了该请求，该消息对我也没有任何意义，因为我当然是使用从第一个调用获取的有效访问令牌进行后续的API调用，以获取访问权限-令牌.

This is confusing because I've set breakpoints all over the application and I'm pretty sure that the API request doesn't hit the anywhere within the application before stormpath kicks in and returns this error. And even if stormpath somehow intercepts the request before getting to the REST interface, this message doesn't make any sense to me because i'm certainly making the subsequent API calls with a valid access-token obtained from the first call to get access-token.

我已经耗尽了为什么会发生这种情况的想法，但是我怀疑这可能与Stormpath配置有关，尤其是与组合方式有关 用于Web视图的登录/身份验证形式和用于REST端点的oAuth Athentication形式.话虽如此，这就是我的stormpath.properties的样子.希望这可以指出我做错的任何事情.

I have run out of ideas why this could be happening but i'm suspecting that it may have something to do with stormpath config especially with a combination of form Login/Authentication for web views and oAuth Athentication for REST endpoints. With that said, here's what my stormpath.properties looks like. Hope this could help point at anything I may be doing wrong.

stormpath.application.href=https://api.stormpath.com/v1/applications/[app-id]
stormpath.web.filters.authr=com.app.security.AuthorizationFilter
stormpath.web.request.event.listener = com.app.security.AuthenticationListener

stormpath.web.uris./resources/**=anon
stormpath.web.uris./assets/**=anon
stormpath.web.uris./v1.0/**=anon
stormpath.web.uris./** = authc,authr
stormpath.web.uris./**/**=authc,authr

我们将不胜感激.

推荐答案

问题可能与错误的请求有关.

The problem might be related to an incorrect request.

您可以在您的应用中尝试此代码吗?:

Is it possible for you to try this code in your app?:

 private boolean verify(String accessToken) throws OauthAuthenticationException {
     HttpRequest request = createRequestForOauth2AuthenticatedOperation(accessToken);
     AccessTokenResult result = Applications.oauthRequestAuthenticator(application)
        .authenticate(request);
     System.out.println(result.getAccount().getEmail() + " was successfully verified, you can allow your protect operation to continue");
     return true;
 }

 private HttpRequest createRequestForOauth2AuthenticatedOperation(String token) {
     try {
         Map<String, String[]> headers = new LinkedHashMap<String, String[]>();
         headers.put("Accept", new String[]{"application/json"});
         headers.put("Authorization", new String[]{"Bearer " + token});
         HttpRequest request = HttpRequests.method(HttpMethod.GET)
             .headers(headers)
             .build();
         return request;
     } catch (Exception e) {
         e.printStackTrace();
         return null;
     }
 }

这篇关于无法在同一应用程序中实现Stormpath表单登录/身份验证以及REST oAuth身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！