验证 Auth0 令牌 - Spring Security
Posted
技术标签:
【中文标题】验证 Auth0 令牌 - Spring Security【英文标题】:Validating Auth0 Token - Spring Security 【发布时间】:2021-12-17 22:09:16 【问题描述】:我在 this official doc 的帮助下在 Spring Boot 应用程序中验证 auth0 令牌
在运行应用程序时,它抛出异常
2021-11-03 19:12:09.669 WARN 18128 --- [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtDecoder' defined in class path resource [com/talenlio/common/security/SecurityConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method 'jwtDecoder' threw exception; nested exception is java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://dummy/api"
我的最终目标是验证我从前端收到的 auth0 令牌。
应用程序.yaml
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://my-domain-at.auth0.com/
auth0:
grantType: client_credentials
audience: https://dummy/api
clientId: XXXXXXXXX
clientSecret: YYYYY
applicationDomain: https://my-domain-at.auth0.com/
【问题讨论】:
【参考方案1】:确保您遵循spring.security.oauth2.resourceserver.jwt.issuer-uri
的规范:
该值将是您的 Auth0 域,带有 https:// 前缀和 / 后缀(尾部斜杠很重要)。
它是“https://dummy/api/”而不是“https://dummy/api”
【讨论】:
试过这个不起作用,根据文档,只有发行者 url 有斜杠 我看到你跟踪日志2021-11-03 19:12:09.669 WARN 18128 --- [ main] java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://dummy/api"
,这就是为什么我认为"https://dummy/api/"
是你的域。你确定,你说对了吗?像issuer-uri: https://YOUR_DOMAIN/
、Spring
基于您的issuer-uri
+ .well-known/jwks.json
来发现授权服务器的公钥并验证JWT 签名。您可以通过浏览器查看此链接https://YOUR_DOMAIN/.well-known/jwks.json
,以查看密钥列表。以上是关于验证 Auth0 令牌 - Spring Security的主要内容,如果未能解决你的问题,请参考以下文章
Auth0 + Grails 3 + Spring Security