使用 Azure OAuth2 的 Spring Boot - 回复 URL 不匹配错误 [英] Spring Boot using Azure OAuth2 - reply URL does not match error

问题描述

我有尝试使用 Azure OAuth2 保护的 Spring Boot Web 应用程序.此应用程序基于 Azure SDK 示例 azure-spring-boot-sample-active-directory-webapp.

I have Spring Boot web application that I attempting to secure with Azure OAuth2. This application is based on the Azure SDK sample azure-spring-boot-sample-active-directory-webapp.

我构建应用程序并将其作为 Web 应用程序部署到 Azure.我的 MS 证书受到质疑，我同意分享我的信息.我收到以下错误:

I build and deploy the application to Azure as a Web App. I am challenged for my MS Credentials, I give my consent to share my information. I get the following error:

AADSTS50011:请求中指定的回复 URL 与为应用程序配置的回复 URL 不匹配:'**client id**'.

我确定问题出在已注册应用程序的重定向 url 上.我注册了示例告诉我注册的网址，但我仍然收到错误消息.我删除了 Azure AD 注册的应用程序并重新开始，行为没有变化.

I am sure the issue is around the Registered Application's redirect urls. I register the urls the sample tells me to register, but I still get the error. I have deleted the Azure AD registered app and started over, no change in behavior.

我在 Edge 和 Chrome 上看到了这个错误.

I see this error with Edge and Chrome.

环境

• Spring Boot 父级:2.3.8.RELEASE
• Azure 入门广告:3.1.0
• 操作系统:Linux
• Java:Java 11
• Web 服务器堆栈:Java SE

Active Directory 应用注册

• 支持的帐户类型:仅此组织目录中的帐户(单租户)
• 身份验证:Web:重定向网址:https://myapp.azurewebsites.net/login/oauth2/code/azure
• 身份验证:Web:重定向网址:https://myapp.azurewebsites.net/login/oauth2/code/arm
• 创建的秘密
• API 权限:Azure 服务管理:user_impersonation
• API 权限:Microsoft Graph:Directory.AccessAsUser.All(授予默认目录)
• API 权限:Microsoft Graph:User.Read(授予默认目录)
• API 权限:Office 365 管理 API:ActivityFeed.Read(授予默认目录)
• API 权限:Office 365 管理 API:ActivityFeed.ReadDlp(授予默认目录)
• API 权限:Office 365 管理 API:ServiceHealth.Read(授予默认目录)

application.yaml

azure:
  activedirectory:
    authorization-clients:
      arm:
        on-demand: true
        scopes: https://management.core.windows.net/user_impersonation
      graph:
        scopes:
          - https://graph.microsoft.com/User.Read
          - https://graph.microsoft.com/Directory.Read.All
      office:
        scopes:
          - https://manage.office.com/ActivityFeed.Read
          - https://manage.office.com/ActivityFeed.ReadDlp
          - https://manage.office.com/ServiceHealth.Read
    client-id: my-client-id
    client-secret: my-client-secret
    tenant-id: my-tenant-id
    user-group:
      allowed-groups: group1, group2
    post-logout-redirect-uri: https://myapp.azurewebsites.net/

pom.xml

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.8.RELEASE</version>
        <relativePath/>
        <!-- lookup parent from repository -->
    </parent>
    <groupId>mygroup</groupId>
    <artifactId>adoauthdemo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>adoauthdemo</name>
    <description>Demonstration of integrating a spring boot application with Azure AD OAuth</description>
    <properties>
        <java.version>11</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>com.azure.spring</groupId>
            <artifactId>azure-spring-boot-starter-active-directory</artifactId>
            <version>3.1.0</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-configuration-processor</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <excludes>
                        <exclude>
                            <groupId>org.springframework.boot</groupId>
                            <artifactId>spring-boot-configuration-processor</artifactId>
                        </exclude>
                        <exclude>
                            <groupId>org.projectlombok</groupId>
                            <artifactId>lombok</artifactId>
                        </exclude>
                    </excludes>
                </configuration>
            </plugin>
            <plugin>
                <groupId>com.microsoft.azure</groupId>
                <artifactId>azure-webapp-maven-plugin</artifactId>
                <version>1.12.0</version>
                <configuration>
                    <authType>azure_cli</authType>
                    <resourceGroup>adoauthdemo-rg</resourceGroup>
                    <appName>adoauthdemo</appName>
                    <pricingTier>B1</pricingTier>
                    <region>eastus</region>
                    <deployment>
                        <resources>
                            <resource>
                                <directory>${project.basedir}/target</directory>
                                <includes>
                                    <include>*.jar</include>
                                </includes>
                            </resource>
                        </resources>
                    </deployment>
                    <runtime>
                        <os>Linux</os>
                        <javaVersion>Java 11</javaVersion>
                        <webContainer>Java SE</webContainer>
                    </runtime>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

推荐答案

我必须将以下内容添加到我的 application.yaml 中.

I had to add the following to my application.yaml.

server:
  forward-headers-strategy: native

说明

我在我的应用程序上打开调试，我终于看到是什么导致了我的问题:

I turned on debugging on my application and I finally saw what was causing my issue:

重定向到https://login.microsoftonline.com/**tenant id**/oauth2/v2.0/authorize?response_type=code&client_id=**client id**&scope=https://manage.office.com/ServiceHealth.Read%20openid%20profile%20offline_access%20https://graph.microsoft.com/User.Read%20https://graph.microsoft.com/Directory.AccessAsUser.All%20https://graph.microsoft.com/Directory.Read.All%20https://manage.office.com/ActivityFeed.ReadDlp%20https://manage.office.com/ActivityFeed.Read&state=rccivv5nfrx270lpF_y4hHGDP-hhfUSSKI0mmokkNNA%3D&redirect_uri=http://myapp.azurewebsites.net/login/oauth2/code/azure&nonce=fVQX_yumChDneZJvE1pLljs81thZtpBk8do5h1XClGs'

重要的部分是 redirect_uri 参数:http://myapp.azurewebsites.net/login/oauth2/code/azure

The important part is the redirect_uri parameter: http://myapp.azurewebsites.net/login/oauth2/code/azure

我的 Spring Boot 应用使用的是 http 而不是 https.

My Spring Boot app was using http instead of https.

现在我找到了一个 文章解决了这个问题，他们修复了我上面指出的相同问题.

Now I found an article that addresses this issue where they fixed this same issue as I indicated above.

这篇关于使用 Azure OAuth2 的 Spring Boot - 回复 URL 不匹配错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！