spring-security-oauth2客户端获取授权码后需要重新认证(重新登录)
描述
我有一个授权服务器和一个客户端服务器。授权服务器运行良好,我使用postman对其进行了测试,以获得accessToken和授权代码。但是客户端服务器不工作。在authorization_code模式下,客户端登录,然后成功地从授权服务器获取授权码,下一步,浏览器应该重定向到redirect_uri,但它没有,它重定向到客户端的登录页面。
信息
java8,spring-boot-starter-parent-1.4.5版本,spring-boot-starter-security,spring-security-oauth2
问题位置
org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(OAuth2ProtectedResourceDetails,AccessTokenRequest)
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth instanceof AnonymousAuthenticationToken) {
if (!resource.isClientOnly()) {
throw new InsufficientAuthenticationException(
"Authentication is required to obtain an access token (anonymous not allowed)");
}
}来自SecurityContextHolder的身份验证是AnonymousAuthenticationToken,我不知道为什么。
客户端服务器配置
@SpringBootApplication
@EnableOAuth2Client
public class App {
.............
}
@Configuration
public class CustomWebMvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("index");
registry.addViewController("/login").setViewName("login");
super.addViewControllers(registry);
}
}
@Configuration
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
super.configure(auth);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/webjars/**", "/img/**").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/getCurrentUserInfo").authenticated()//the resource that need access token
.anyRequest().permitAll()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.defaultSuccessUrl("/")
.and()
.csrf()
.disable();
}
.............
@Autowired
private OAuth2ClientContext clientContext;
@RequestMapping("/getCurrentUserInfo")
@ResponseBody
public Map<String, String> getCurrentUserInfo(){
AuthorizationCodeResourceDetails resourceDetails = new AuthorizationCodeResourceDetails();
resourceDetails.setClientId("authorization_code");
resourceDetails.setClientSecret("123456");
resourceDetails.setAccessTokenUri("http://localhost:8080/oauth/token");
resourceDetails.setUserAuthorizationUri("http://localhost:8080/oauth/authorize");
resourceDetails.setScope(Arrays.asList("empty")); OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails, clientContext);
Map<String, String> result = restTemplate.getForObject(URI.create("http://localhost:8082/user/getCurrentUserInfo"), HashMap.class);
logger.debug("------------------------- result: {}",result);
return result;
}
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
private static List<String> grantTypes = Arrays.asList("authorization_code", "password", "client_credentials", "implicit");
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if(!grantTypes.contains(username)){
throw new UsernameNotFoundException(String.format("用户 %s 不存在!", username));
}
User user = new User(username, "123456", Arrays.asList());
return user;
}
}回答 1
Stack Overflow用户
发布于 2017-03-15 15:07:24
我太傻了,这是一个Cookie(会话)问题。我的授权服务器和客户端服务器有相同的域: localhost,但端口不同。授权服务器为8080,客户服务器为8081。客户端服务器先登录,有cookie。授权需要先登录才能批准授权。授权登录时,会覆盖客户端的cookie。当浏览器重定向到客户端的页面时,客户端无法找到自己与授权的cookie的会话。
https://stackoverflow.com/questions/42763585
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号