Spring oauth2 / oauth / token无效凭据
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring oauth2 / oauth / token无效凭据相关的知识,希望对你有一定的参考价值。
这是我的Application.java
@SpringBootApplication
@RestController
@EnableResourceServer
@EnableAuthorizationServer
public class Application {
@RequestMapping(value = { "/user" }, produces = "application/json")
public Map<String, Object> user(OAuth2Authentication user) {
Map<String, Object> userInfo = new HashMap<>();
userInfo.put("user", user.getUserAuthentication().getPrincipal());
userInfo.put("authorities", AuthorityUtils.authorityListToSet(user.getUserAuthentication().getAuthorities()));
return userInfo;
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
Web security configurer.Java
@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/oauth/token").permitAll().anyRequest().authenticated().and().formLogin().and().httpBasic();
}
@Override
@Bean
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("john.carnell").password("password1").roles("USER")
.and()
.withUser("william.woodward").password("password2").roles("USER", "ADMIN");
}
}
我的Oauth2Config
@Configuration
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("eagleeye")
.secret("thisissecret")
.authorizedGrantTypes("refresh_token", "password", "client_credentials")
.scopes("webclient", "mobileclient");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
}
我试图通过POSTMAN检索访问令牌但是,此错误不断出现
{
"timestamp": 1491436452371,
"status": 401,
"error": "Unauthorized",
"message": "Bad credentials",
"path": "/oauth/token/"
}
这些是我通过POSTMAN传递的值
因为你可以传递正确的值,所以我怀疑它是导致错误的凭据
答案
你应该加密客户端秘密(thisissecret)
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("eagleeye")
//.secret("thisissecret")
.secret(passwordEncoder.encode("thisissecrete"))
.authorizedGrantTypes("refresh_token", "password", "client_credentials")
.scopes("webclient", "mobileclient");
}
由于BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder),错误出现了
public boolean matches(CharSequence rawPassword, String encodedPassword) {
if (encodedPassword == null || encodedPassword.length() == 0) {
logger.warn("Empty encoded password");
return false;
}
if (!BCRYPT_PATTERN.matcher(encodedPassword).matches()) {
logger.warn("Encoded password does not look like BCrypt");
return false;
}
return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
}
if (!BCRYPT_PATTERN.matcher(encodedPassword).matches())
如果您的客户端密钥未加密,则会引发以下异常。
编码密码看起来不像BCrypt
另一答案
我同意Luke Bajada的观点。我有同样的问题,我必须做的修复是添加@ComponentScan注释,并导入此模块,我通过添加依赖项将所有代码写入父模块。
以上是关于Spring oauth2 / oauth / token无效凭据的主要内容,如果未能解决你的问题,请参考以下文章
Java Spring Security:401 Unauthorized for token OAuth2 端点
Oauth 2 + Spring Security - 出现 403 禁止错误
如何在 Spring OAuth2 中仅通过 client_id 和 secret 进行授权?
Spring Security 入门(1-3)Spring Security oauth2.0 指南