Spring OAuth2 - 没有客户端身份验证.尝试添加适当的身份验证过滤器 [英] Spring OAuth2 - There is no client authentication. Try adding an appropriate authentication filter
问题描述
我们有一个使用 spring-security-oauth2:1.0 的应用程序.我试图将其更改为更新版本 spring-security-oauth2:2.0.7.RELEASE.删除了一些类,更改了一些包结构,我设法解决了所有这些问题,并且能够毫无问题地启动服务器.但是我在这里遇到了一个奇怪的问题.
We have an application which is using spring-security-oauth2:1.0. I was trying to change it to a newer version, spring-security-oauth2:2.0.7.RELEASE. Some classes were removed, some package structure is changed, I managed to sort out all those things and I was able to start the server without any issue. But I am facing a strange issue here.
使用OAuth2 - 1.0 版本,当用户登录时,我们曾经在/oauth/token上做一个GET请求,例如:
With OAuth2 - 1.0 version, when the user logs in we used to do a GET request on /oauth/token, For example :
它曾经工作得很好.
当我尝试同样的事情时,首先我无法发出 GET 请求,因为 TokenEndPoint.java
When I try the same thing, First of all I am not able to make a GET request because of the logic in TokenEndPoint.java
private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST));
@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!allowedRequestMethods.contains(HttpMethod.GET)) {
throw new HttpRequestMethodNotSupportedException("GET");
}
return postAccessToken(principal, parameters);
}
我尝试发出与上述 URL 相同的 POST 请求,但我收到 InsufficientAuthenticationException 和错误消息
I have tried to make a POST request same as above URL, but I get InsufficientAuthenticationException with the error message
没有客户端身份验证.尝试添加适当的身份验证过滤器
There is no client authentication. Try adding an appropriate authentication filter
这是因为 TokenEndpoint.java 中的以下 POST 请求控制器.当我调试时,我看到 principal 为空.
This is because of the following POST request controller in TokenEndpoint.java. When I debug, I see that principal is null.
@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
//principal is null here
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException(
"There is no client authentication. Try adding an appropriate authentication filter.");
}
.............
}
我有一个身份验证过滤器,当我使用 version 1.0 时,它运行良好.这是我的配置的相关内容:
I have an authentication filter and it worked well when I used version 1.0. This is the relevant prats of my config:
<authentication-manager xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="userDetailsService"/>
</authentication-manager>
<bean id="userDetailsService" class="com.hcl.nc.service.UserDetailsService">
<constructor-arg><ref bean="sessionFactory" /></constructor-arg>
</bean>
我一直认为请求将由 authentication-provider 进行身份验证并转到 token-endpoint 但这似乎不是正确的流程.使用2.0.7版调试应用程序后,现在我真的怀疑我对流程的理解.
I always thought that the request will be authenticated by authentication-provider and goes to token-endpoint but that does not seem to be the correct flow. After debugging the application with version 2.0.7, now I really doubt my understanding about the flow.
谁能解释一下为什么它在以前的版本中有效,为什么现在不起作用?
我是否需要做一些不同的事情才能获得 OAuth 令牌?
注意:我已经检查了这些问题:此处,此处,此处.但是我找不到正确的解决方案.
NOTE: I have already checked these questions : here, here, here. But I was not able to find the correct solution.
推荐答案
我不知道以前的版本,但我对2.0.7有点了解.
I don't know the previous version, but I know a bit about 2.0.7.
我怀疑您的问题是您的 TokenEndpoint 安全尝试针对您的 用户 服务验证您的客户端.
I suspect your problem is that your TokenEndpoint security tries to authenticate your clients against your user service.
TokenEndpoint 由 BasicAuthenticationFilter 保护.默认情况下,此过滤器将使用 AuthenticationManager 实例,该实例本身包含一个 AuthenticationProvider,它本身取决于 UserDetailsService 的实例.诀窍是 UserDetailsService 的这个特定实例必须基于 客户端,而不是基于 用户:这就是为什么有 ClientDetailsUserDetailsService,将 ClientDetailsService 适配为 UserDetailsService.
The TokenEndpoint is protected by a BasicAuthenticationFilter. By default this filter would use an AuthenticationManager instance, which itself holds an AuthenticationProvider, which itself depends on an instance of UserDetailsService.
The trick is that this particular instance of UserDetailsService must be client based, not user based : that's why there is a ClientDetailsUserDetailsService, which adapts ClientDetailsService to UserDetailsService.
通常,当您使用框架的配置类AuthorizationServerConfigurerAdapter、@EnableAuthorizationServer 等时,默认情况下所有这些内容都已完成.
Normally all this stuff is already done by default when you use the framework's configuration classes AuthorizationServerConfigurerAdapter, @EnableAuthorizationServer, etc..
这篇关于Spring OAuth2 - 没有客户端身份验证.尝试添加适当的身份验证过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
