验证 Auth0 令牌 - Spring Security

Posted

技术标签:

【中文标题】验证 Auth0 令牌 - Spring Security【英文标题】:Validating Auth0 Token - Spring Security 【发布时间】:2021-12-17 22:09:16 【问题描述】:

我在 this official doc 的帮助下在 Spring Boot 应用程序中验证 auth0 令牌

在运行应用程序时,它抛出异常

2021-11-03 19:12:09.669  WARN 18128 --- [           main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtDecoder' defined in class path resource [com/talenlio/common/security/SecurityConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method 'jwtDecoder' threw exception; nested exception is java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://dummy/api"

我的最终目标是验证我从前端收到的 auth0 令牌。

应用程序.yaml

spring:
 security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://my-domain-at.auth0.com/

auth0:
  grantType: client_credentials
  audience: https://dummy/api
  clientId: XXXXXXXXX
  clientSecret: YYYYY
  applicationDomain: https://my-domain-at.auth0.com/

【问题讨论】:

【参考方案1】:

确保您遵循spring.security.oauth2.resourceserver.jwt.issuer-uri 的规范:

该值将是您的 Auth0 域,带有 https:// 前缀和 / 后缀(尾部斜杠很重要)。

它是“https://dummy/api/”而不是“https://dummy/api”

【讨论】:

试过这个不起作用,根据文档,只有发行者 url 有斜杠 我看到你跟踪日志2021-11-03 19:12:09.669 WARN 18128 --- [ main] java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://dummy/api",这就是为什么我认为"https://dummy/api/" 是你的域。你确定,你说对了吗?像issuer-uri: https://YOUR_DOMAIN/Spring 基于您的issuer-uri + .well-known/jwks.json 来发现授权服务器的公钥并验证JWT 签名。您可以通过浏览器查看此链接https://YOUR_DOMAIN/.well-known/jwks.json,以查看密钥列表。

以上是关于验证 Auth0 令牌 - Spring Security的主要内容,如果未能解决你的问题,请参考以下文章

Auth0 + Grails 3 + Spring Security

PHP中的Auth0 JWT令牌验证

Auth0 java-jwt 库无法验证有效令牌

Auth0 Laravel:验证令牌并获取用户信息

Auth0 - 在 Owin 上使用带有承载访问令牌的 JWT 使用 RS256 进行身份验证

Azure Functions 应用程序 + Auth0 提供程序,使用身份验证令牌调用 API 时出现 401