JMeter: Keycloak“未找到用户会话”错误与/protocol/openid-connect/令牌端点

Question

我试着用/protocol/openid-connect/token模拟JMeter的密钥披风端点。即使我有相关的代码参数并正确地传递它。有一个叫做code_verifier的东西，没有找到任何以前的请求。提供样例请求和响应，供您参考。如果我必须采取任何其他步骤来克服所附答复中的这一问题，有人能在此帮助我吗？

请求：

POST https://{HOST}/auth/realms/{Appname}/protocol/openid-connect/token

POST data:
code=f99e9da5-cfcf-4069-aaec-b53mee00af54.e46a981h-5291-4862-b6fd-abc7f2d222f2.87488f77-3b05-47b0-afd7-8a8c80b384e7%0AContent-Length%3A+0%0ADate%3A+Wed%2C+29+Dec+2021+18%3A30%3A26+GMT%0A&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fwebclient-performance.appname.ad%2F&client_id=premium-web-client&code_verifier=YTlYTmoxZ2tXbzM1M0xkVkRfZXg0M280TUhDZXVMYVdIY2hoVzRqTE5ESXkw

Cookie Data:
AUTH_SESSION_ID=e46a61f9-5291-4862-b6fd-eff7f2d222f2.d306f6737649; KEYCLOAK_LOCALE=en; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiZDBmYTc0Ni02Y2NmLTRiMjktYTBmZC1kOWMxMWNmY2RlM2UifQ.eyJleHAiOjE2NDA4ODkwMjYsImlhdCI6MTY0MDgwMjYyNiwianRpIjoiZWFjZDczNDctNDYyNC00Mjk0LWE4NjYtYzRiYmM1MjNiMDlhIiwiaXNzIjoiaHR0cHM6Ly8xNzIuMjYuMjMzLjE0NDoyODA4MC9hdXRoL3JlYWxtcy9uZXh0Z2VuLXNvbmV0Iiwic3ViIjoiOTE4MDcyNDktZWZlYi00ZWZlLWEwY2EtMGRlMTYxZWIzNTU5IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJlNDZhNjFmOS01MjkxLTQ4NjItYjZmZC1lZmY3ZjJkMjIyZjIiLCJzdGF0ZV9jaGVja2VyIjoiU3VmS2tOLXE0UTNDVUhvM2xFblhHZ3NFSWdWSS0wektFR2JKRENzZHpiYyJ9.4XA6eGrUB8HhhLTfNlhY9twiX3oJLQhlFlYDY3zYa6Q; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiABCmYTc0Ni02Y2NmLTRiMjktYTBmZC1kOWMxMWNmY2RlM2UifQ.eyJleHAiOjE2NDA4ODkwMjYsImlhdCI6MTY0MDgwMjYyNiwianRpIjoiZWFjZDczNDctNDYyNC00Mjk0LWE4NjYtYzRiYmM1MjNiMDlhIiwiaXNzIjoiaHR0cHM6Ly8xNzIuMjYuMjMzLjE0NDoyODA4MC9hdXRoL3JlYWxtcy9uZXh0Z2VuLXNvbmV0Iiwic3ViIjoiOTE4MDcyNDktZWZlYi00ZWZlLWEwY2EtMGRlMTYxZWIzNTU5IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3phdGUiOiJlNDZhNjFmOS01MjkxAAA4NjItYjZmZC1lZmY3ZjJkMjIyZjIiLCJzdGF0ZV9jaGVja2VyIjoiU3VmS2tOLXE0UTNDVUhvM2xFblhHZ3NFSWdWSS0wektFR2JKRENzZHpiYyJ9.4XA8bGrUB8HhhLTfNlhY9twiX3oJLQhlFlYDY3zYa6Q; KEYCLOAK_SESSION=appname/91807249-efeb-4abc-a0ca-0de161eb8741/e46a61f9-2147-4862-b6fd-eff7f2d222f2; KEYCLOAK_SESSION_LEGACY=name/85211234-efeb-4efe-a0ca-0de161eb1877/e46a78f9-5291-4862-b6fd-eff7f2d899f2

响应：

{"error":"invalid_grant","error_description":"User session not found"}

Answer 1

这个code_verifier参数需要是生成的，而不是关联的。

参见RFC 7636中的算法描述

4.  Protocol

4.1.  Client Creates a Code Verifier

   The client first creates a code verifier, "code_verifier", for each
   OAuth 2.0 [RFC6749] Authorization Request, in the following manner:

   code_verifier = high-entropy cryptographic random STRING using the
   unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
   from Section 2.3 of [RFC3986], with a minimum length of 43 characters
   and a maximum length of 128 characters.

   ABNF for "code_verifier" is as follows.

   code-verifier = 43*128unreserved
   unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
   ALPHA = %x41-5A / %x61-7A
   DIGIT = %x30-39

   NOTE: The code verifier SHOULD have enough entropy to make it
   impractical to guess the value.  It is RECOMMENDED that the output of
   a suitable random number generator be used to create a 32-octet
   sequence.  The octet sequence is then base64url-encoded to produce a
   43-octet URL safe string to use as the code verifier.

示例实现可在创建代码验证器手册的Auth0部分获得。

// Dependency: Apache Commons Codec
// https://commons.apache.org/proper/commons-codec/
// Import the Base64 class.
// import org.apache.commons.codec.binary.Base64;
SecureRandom sr = new SecureRandom();
byte[] code = new byte[32];
sr.nextBytes(code);
String verifier = Base64.getUrlEncoder().withoutPadding().encodeToString(code);

可以添加以下行将生成的值存储到JMeter变量中：

vars.put("code_verifier", verifier);

并在HTTP请求采样器中使用${code_verifier}而不是硬编码的值。在上面的代码段中，vars表示JMeterVariables类实例，如果需要，请参阅在Groovy中应该使用的前8个JMeter Java类文章获得更多详细信息。

代码可以从JSR223 PreProcessor调用