问题:
OAuth2使用社交帐户进行身份验证,并将jwt令牌存储在数据库中
卫和洽
我遵循教程系列:https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/这是最好的教程,但是令牌不存储在数据库中,令牌的格式不适合我。
我需要一个访问令牌和刷新令牌,例如:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21pemVkIjoidHJ1ZSIsInVzZXJfbmFtZSI6ImRqb25pa2dhQGdtYWlsLmNvbSIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJuYW1lIjoi0JXQstCz0LXQvdC40Lkg0JTQstC-0YDRhtC10LLQvtC5IiwiaWQiOjksImV4cCI6MTU1ODI1NTU1MCwiYXV0aG9yaXRpZXMiOlsiUk9MRV9VU0VSIl0sImp0aSI6Ijg1NjMxZmQ3LTRmNDMtNDIzNC05M2RlLTI5NTUxNDJjZmEzZiIsImNsaWVudF9pZCI6Imp3dENsaWVudElkUGFzc3dvcmQifQ.yP4dWiSdWPh1wsrirXzG6p19gjx5yI9MvsIjyESe1is",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21pemVkIjoidHJ1ZSIsInVzZXJfbmFtZSI6ImRqb25pa2dhQGdtYWlsLmNvbSIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJhdGkiOiI4NTYzMWZkNy00ZjQzLTQyMzQtOTNkZS0yOTU1MTQyY2ZhM2YiLCJuYW1lIjoi0JXQstCz0LXQvdC40Lkg0JTQstC-0YDRhtC10LLQvtC5IiwiaWQiOjksImV4cCI6MTU2MDg0NjY1MCwiYXV0aG9yaXRpZXMiOlsiUk9MRV9VU0VSIl0sImp0aSI6Ijg4Y2FlNzYzLTJmOTItNDQ2Ni1hMmU3LTk0NGZmODQ4NmQ5NCIsImNsaWVudF9pZCI6Imp3dENsaWVudElkUGFzc3dvcmQifQ.0cUifDOtxAryTGD0qn2GHPtiAoNSlDfd3fpamlGGGrE",
"expires_in": 899,
"scope": "read write"
}
在通过谷歌(google)等社交账户进行身份验证后,我通过手动创建令牌,并重定向以获取令牌的一些数据,但令牌无效。
get - http://localhost:8080/user/me
bearer: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsicmVzb3VyY2VJZFRlc3QiXSwiY3VzdG9taXplZCI6InRydWUiLCJ1c2VyX25hbWUiOiJkam9uaWtnYUBnbWFpbC5jb20iLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwibmFtZSI6ItCV0LLQs9C10L3QuNC5INCU0LLQvtGA0YbQtdCy0L7QuSIsImlkIjo5LCJleHAiOjE1NTgyNTM3NTEsImF1dGhvcml0aWVzIjpbIlJPTEVfVVNFUiJdLCJqdGkiOiJhYzY0M2M2Yy0wZDYyLTQ2MDMtOWYxMy0wODE5MmNlYmYzZDAiLCJjbGllbnRfaWQiOiJqd3RDbGllbnRJZFBhc3N3b3JkIn0.d9_1gc_9PbrkG5mwoLRymBiPWpmH0VTcSEdnhz1aaxA
我收到回应
{
"error": "access_denied",
"error_description": "Invalid token does not contain resource id (jwtClientIdPassword)"
}
我有一个前端-反应,授权服务器-Spring安全5.0,postgres。我还使用OAuth 2.0和密码授予流进行身份验证。令牌存储在数据库中。
我的授权适配器
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource.dataSource());
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter()));
endpoints.authenticationManager(this.authenticationManager)
.tokenEnhancer(tokenEnhancerChain)
.tokenStore(tokenStore());
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
CustomTokenConverter converter = new CustomTokenConverter();
converter.setSigningKey(signingKey);
return converter;
}
@Bean
@Primary
//Making this primary to avoid any accidental duplication with another token service instance of the same name
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
defaultTokenServices.setTokenEnhancer(jwtAccessTokenConverter());
return defaultTokenServices;
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter());
}
我的安全网络适配器
@Bean
public HttpCookieOAuth2AuthorizationRequestRepository cookieAuthorizationRequestRepository() {
return new HttpCookieOAuth2AuthorizationRequestRepository();
}
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(customUserDetailsService)
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return DefaultPasswordEncoderFactories.createDelegatingPasswordEncoder();
}
@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.exceptionHandling()
.authenticationEntryPoint(new RestAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/auth/**", "/oauth2/**").permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2Login()
.authorizationEndpoint().baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint().baseUri("/oauth2/callback/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
http.addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
在oAuth2AuthenticationSuccessHandler中。在AuthenticationSuccess中,我尝试创建令牌
@Component
public class OAuth2AuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
private TokenProvider tokenProvider;
private AppProperties appProperties;
private HttpCookieOAuth2AuthorizationRequestRepository httpCookieOAuth2AuthorizationRequestRepository;
=====
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
String targetUrl = determineTargetUrl(request, response, authentication);
if (response.isCommitted()) {
logger.debug("Response has already been committed. Unable to redirect to " + targetUrl);
return;
}
clearAuthenticationAttributes(request, response);
getRedirectStrategy().sendRedirect(request, response, targetUrl);
}
protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
Optional<String> redirectUri = CookieUtils.getCookie(request, REDIRECT_URI_PARAM_COOKIE_NAME)
.map(Cookie::getValue);
if(redirectUri.isPresent() && !isAuthorizedRedirectUri(redirectUri.get())) {
throw new BadRequestException("Sorry! We've got an Unauthorized Redirect URI and can't proceed with the authentication");
}
String targetUrl = redirectUri.orElse(getDefaultTargetUrl());
OAuth2AccessToken accessToken = tokenProvider.createAccessToken(authentication);
return UriComponentsBuilder.fromUriString(targetUrl)
.queryParam("token", accessToken.getValue())
.build().toUriString();
}
在这里,我尝试创建jwt令牌
@Service
public class TokenProvider {
private static final Logger logger = LoggerFactory.getLogger(TokenProvider.class);
private AppProperties appProperties;
@Autowired
private TokenStore tokenStore;
@Autowired
private AuthorizationServerEndpointsConfiguration configuration;
public TokenProvider(AppProperties appProperties) {
this.appProperties = appProperties;
}
public OAuth2AccessToken createAccessToken(Authentication authentication) {
UserPrincipal user = (UserPrincipal)authentication.getPrincipal();
List<String> scopes = new ArrayList<>();
scopes.add("read");
scopes.add("write");
Map<String, String> requestParameters = new HashMap<String, String>();
Map<String, Serializable> extensionProperties = new HashMap<String, Serializable>();
requestParameters.put("client_id", "jwtClientIdPassword");
requestParameters.put("grant_type", "password");
requestParameters.put("scope", "read,write");
requestParameters.put("client_secret", "client");
requestParameters.put("username", user.getEmail());
requestParameters.put("password", user.getPassword());
boolean approved = true;
Set<String> responseTypes = new HashSet<String>();
responseTypes.add("code");
OAuth2Request oauth2Request = new OAuth2Request(requestParameters, "jwtClientIdPassword", user.getAuthorities(), approved, new HashSet<String>(scopes), new HashSet<String>(Arrays.asList("resourceIdTest")), null, responseTypes, extensionProperties);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user, "N/A", user.getAuthorities());
OAuth2Authentication auth = new OAuth2Authentication(oauth2Request, authenticationToken);
AuthorizationServerTokenServices tokenService = configuration.getEndpointsConfigurer().getTokenServices();
OAuth2AccessToken token = tokenService.createAccessToken(auth);
return token;
}
我不确定我做得对。
共有1个答案
韦宏朗
我发现了问题所在。我弄错了参数
new HashSet<String>(Arrays.asList("resourceIdTest"))
我改变了密码
public OAuth2AccessToken createAccessToken(Authentication authentication) {
UserPrincipal userPrincipal = (UserPrincipal)authentication.getPrincipal();
Set<GrantedAuthority> authorities = new HashSet(userPrincipal.getAuthorities());
Map<String, String> requestParameters = new HashMap<>();
String clientId = "jwtClientIdPassword";
boolean approved = true;
Set<String> resourceIds = new HashSet<>();
Set<String> responseTypes = new HashSet<>();
responseTypes.add("code");
Map<String, Serializable> extensionProperties = new HashMap<>();
List<String> scopes = new ArrayList<>();
scopes.add("read");
scopes.add("write");
OAuth2Request oAuth2Request = new OAuth2Request(requestParameters, clientId,
authorities, approved, new HashSet<>(scopes),
resourceIds, null, responseTypes, extensionProperties);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userPrincipal, null, authorities);
OAuth2Authentication auth = new OAuth2Authentication(oAuth2Request, authenticationToken);
AuthorizationServerTokenServices tokenService = configuration.getEndpointsConfigurer().getTokenServices();
OAuth2AccessToken token = tokenService.createAccessToken(auth);
return token;
}
类似资料:
-
我尝试在Azure门户上创建的O365应用程序上进行身份验证,但它没有按预期工作。 以下代码运行良好,但它使用的是登录/密码,Microsoft不推荐使用。(在此处找到https://github.com/jstedfast/MailKit/issues/989) 事实上,我希望能够使用tenanid、客户端机密和clientid进行身份验证,但没有交互模式(因为该应用程序是Windows服务)。
-
我正在尝试为我的应用程序构建一个身份验证解决方案。我使用React作为前端,使用API模式下的Rails作为后端。我有一个外部身份验证解决方案,我需要使用它。我无意中发现了Knock for JWT令牌管理,但我不理解文档,尤其是这部分“它必须有一个身份验证方法,类似于has_secure_password添加的方法”,因为由于我的外部身份验证服务,我没有用户模型。因此,在我的头脑中,登录请求将发
-
jwt不应该仅仅用于认证用户吗?我读到过可以在里面存储非敏感的东西,比如用户ID。将权限级别之类的东西存储在令牌中可以吗?这样我可以避免数据库调用。
-
在我的Jitsi Meet Prodody配置文件中:~/。jitsi meet cfg/prosody/config/conf.d 我有以下配置: 有了它,我可以通过令牌进行身份验证。 但是,如果我不指定任何令牌,例如: https://jitsi.mydummyserver.com/test 然后我得到以下提示询问用户和密码: 有没有办法只允许令牌身份验证并完全摆脱那个提示? 谢谢
-
各位程序员, 我目前正在努力解决Web Api 2中的微软账户JWT令牌验证问题。我已经找到了OWIN中间件。Owin.Security.Jwt)下面是我的Startup.cs配置的代码: 我在这里找到了这个片段: http://code.lawrab.com/2014/01/securing-webapi-with-live-id.html JWT令牌使用Live SDK从我的Windows应用
-
致命:“https://github.com/scuzzlebuzzle/ol3-1.git/'”身份验证失败