OAuth2 - 检索令牌时 OPTIONS 请求上的状态 401 [英] OAuth2 - Status 401 on OPTIONS request while retrieving TOKEN
问题描述
我们的堆栈使用 Backbone 作为客户端应用程序,使用 Spring Boot 作为 RESTful API.
Our stack uses Backbone as our client-side app and Spring Boot as a RESTful API.
我们正在尝试使用 OAuth2 进行基本身份验证,用户提供用户名和密码.
We're trying to make basic authentication using OAuth2 with user providing username and password.
我们使用 Spring Security 进行身份验证,使用 jQuery $.ajax 方法进行请求.然而,在我们甚至可以使用我们的秘密进行 POST 标头授权之前,我们得到的响应是预检选项请求的 401(未授权)状态.但是,我们可以毫无问题地 POST 或 GET 任何其他资源.OPTIONS 请求的服务器响应是 200(ok),然后它跟进 POST 请求.
We use Spring Security for authentication and jQuery $.ajax method for making requests. However the response we get is 401(unauthorized) status on preflight OPTIONS request before we can even POST header with our secret to authorize. However we can POST or GET any other resource without any problems. Server response for OPTIONS request is 200(ok) and then it follows up with POST request.
那么为什么来自/oauth/token 的 OPTIONS 请求响应具有 401 状态,即使它不应该?它不会让我们授权自己,因为它卡在我们无法添加授权标头的 OPTIONS 请求中.
So why is that an OPTIONS request from /oauth/token responses with 401 status even when it shouldn't? It won't let us authorize ourselves because it get's stuck at OPTIONS request in which we can't add authorization header.
这是我们在前端处理请求的方式:
This is how we handle requests on front-end:
$.ajax({
url: "http://localhost:8080/oauth/token",
type: "POST",
beforeSend: function(xhr) {
xhr.setRequestHeader("Authorization", "Basic Y2xpZW50YXBwOjEyMzQ1Ng==");
},
data: {
password: "qwerty",
username: "jkowalski",
grant_type: "password"
}
});
这是我们的 OAuth2 配置:
This is our OAuth2 config:
@Configuration
public class OAuth2ServerConfiguration {
private static final String RESOURCE_ID = "restservice";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
[...]
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.authorizeRequests()
.anyRequest().permitAll();
}
}
[...]
@Configuration
@EnableAuthorizationServer
protected static class OAuth2AuthorizationConfig extends
AuthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password", "refresh_token")
.authorities("USER","ADMIN")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("123456");
// @formatter:on
}
[...]
}
推荐答案
我只能从理论上回答你的问题:
I can just answer your questions in theory:
那么为什么来自/oauth/token 的 OPTIONS 请求响应具有 401 状态,即使它不应该?它不会让我们授权自己,因为它卡在我们无法添加授权标头的 OPTIONS 请求中.
So why is that an OPTIONS request from /oauth/token responses with 401 status even when it shouldn't? It won't let us authorize ourselves because it get's stuck at OPTIONS request in which we can't add authorization header.
这是因为 AuthServer 的默认配置 是只允许在令牌端点进行完全身份验证的请求.
This is because the default configuration of the AuthServer is to allow only a fully authenticated request at the token endpoint.
在您的资源服务器中,您允许所有请求在没有身份验证的情况下发生:http.authorizeRequests().anyRequest().permitAll();
In your Resource server, you allow all requests to happen without authentication with this: http.authorizeRequests().anyRequest().permitAll();
我试图解决这种情况,就像这里提到的here,但我无法让它为我工作.
I tried to solve this circumstance like mentioned here, but I couldn't get that working for me.
为了完整起见,我也在这里提到,你必须添加一个 CorsFilter 将正确的标题添加到 OPTIONS 预检请求中.
Just for completeness I also mention here, that you have to add a CorsFilter to add the correct Headers to the OPTIONS preflight request.
我也问了一个非常相似的问题,所以也许如果我的问题得到解答,您也可以使用这些信息解决您的问题.
I also asked a very similar question, so maybe if mine gets answered, you are capable of solving your problem as well with these informations.
这篇关于OAuth2 - 检索令牌时 OPTIONS 请求上的状态 401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
