403命中Okta Userinfo端点时禁止使用Springboot

#403命中Okta Userinfo端点时禁止使用Springboot| 来源: 网络整理| 查看: 265

我正在尝试将Okta设置为我的spring boot应用程序中的一组子路径的登录。我使用以下命令配置auth资源详细信息：

@Bean(name = "oktaOAuthClient") public AuthorizationCodeResourceDetails oktaOAuthAdminClient(@Qualifier("oktaAdminConfiguration") OktaConfigurationProperties oktaAdminCongfig, ICredentialsApi credentialsApi) { String redirectUrl = UriComponentsBuilder.fromUriString("http://localhost:8091/") .path(ConfigurationRequestPaths.ADMINISTRATION_LANDING) .build(false) .toUriString(); AuthorizationCodeResourceDetails client = new AuthorizationCodeResourceDetails(); client.setClientId(oktaAdminCongfig.getClientId()); client.setClientSecret(oktaAdminCongfig.getClientSecret()); client.setAccessTokenUri(oktaAdminCongfig.getAccessTokenUri()); client.setUserAuthorizationUri(oktaAdminCongfig.getUserAuthorizationUri()); client.setClientAuthenticationScheme(AuthenticationScheme.header); client.setPreEstablishedRedirectUri(redirectUrl); client.setScope(OKTA_SCOPES); client.setUseCurrentUri(false); client.setScope(OKTA_SCOPES); return client; }

这些设置和其他设置是从application.properties中手动找到的，并设置为：

okta.admin.clientId={id} okta.admin.clientSecret={secret} okta.admin.accessTokenUri=https://dev-{value}.okta.com/oauth2/default/v1/token okta.admin.userAuthorizationUri=https://dev-{value}.okta.com/oauth2/default/v1/authorize okta.admin.issuer=https://dev-{value}.okta.com/oauth2/default okta.admin.userInfoUrl=https://dev-{value}.okta.com/oauth2/default/v1/userinfo

然后我使用(注意，在UserTokenInfoServices中设置的clientId是否意味着是来自okta客户端id /客户端秘密的客户端id？)进行过滤：

@Bean(name = "oktaFilter") public Filter oktaFilter(@Qualifier("oktaOAuthClient") AuthorizationCodeResourceDetails oktaOAuthClient, @Qualifier("oktaOAuthResource") ResourceServerProperties resource, @Qualifier("oktaOAuthRestTemplate") OAuth2RestTemplate oktaOAuthRestTemplate) { ExceptionMappingAuthenticationFailureHandler failureHandler = new ExceptionMappingAuthenticationFailureHandler(); failureHandler.setDefaultFailureUrl("/"); OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter(ConfigurationRequestPaths.ADMINISTRATION_LANDING); UserInfoTokenServices tokenServices = new UserInfoTokenServices(resource.getUserInfoUri(), oktaOAuthClient.getClientId()); tokenServices.setRestTemplate(oktaOAuthRestTemplate); filter.setRestTemplate(oktaOAuthRestTemplate); filter.setTokenServices(tokenServices); SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); successHandler.setUseReferer(true); filter.setAuthenticationSuccessHandler(successHandler); filter.setAuthenticationFailureHandler(failureHandler); return filter; }

最后，我使用以下内容设置了WebSecurityConfigurerAdapter：

http.antMatcher("/config/**") .authorizeRequests() .antMatchers("/config") .permitAll() .anyRequest().authenticated().and() .exceptionHandling() .authenticationEntryPoint(oktaLoginHandler)SimpleUrlAuthenticationSuccessHandler(ConfigurationRequestPaths.ADMINISTRATION_LANDING)) .and() .logout().addLogoutHandler(oktaLogoutHandler).logoutSuccessUrl(externalAccessUrl).permitAll().and() .addFilterBefore(oktaFilter, BasicAuthenticationFilter.class); }

子路径的重定向工作正常，并转到一个登录页面，但在登录后我收到一个错误，警告：

org.springframework.security.authentication.BadCredentialsException: Could not obtain user details from token...Caused by: org.springframework.security.oauth2.common.exceptions.InvalidTokenException:

我认为这很可能与命中okta userinfo端点时获得403有关：

Request is to process authentication Retrieving token from https://dev-{value}.okta.com/oauth2/default/v1/token Encoding and sending form: {grant_type=[authorization_code], code=[{code}], redirect_uri=[http://localhost:8091/config], client_id=[{id}], client_secret=[{secret}]} HTTP GET https://dev-{value}.okta.com/oauth2/default/v1/userinfo Accept=[application/json, application/*+json] Response 403

我也尝试过okta starter，但当它与应用程序中另一组子路径的github的另一个oauth登录一起使用时，似乎会崩溃。我正在使用的spring版本没有包含.oauthLogin()和其他的httpsecurity设置，我在上面看过一些指南。

编辑:添加我的spring依赖列表以获得更多说明：

org.springframework:spring-beans:5.1.20.RELEASE org.springframework:spring-context:5.1.20.RELEASE org.springframework:spring-jdbc:5.1.20.RELEASE org.springframework:spring-tx:5.1.20.RELEASE org.springframework:spring-web:5.1.20.RELEASE org.springframework:spring-webmvc:5.1.20.RELEASE org.springframework:spring-test:5.1.20.RELEASE org.springframework.boot:spring-boot-actuator:2.1.18.RELEASE org.springframework.boot:spring-boot-autoconfigure:2.1.18.RELEASE org.springframework.boot:spring-boot-configuration-processor:2.1.18.RELEASE org.springframework.boot:spring-boot-starter:2.1.18.RELEASE org.springframework.boot:spring-boot-starter-actuator:2.1.18.RELEASE org.springframework.boot:spring-boot-starter-security:2.1.18.RELEASE org.springframework.boot:spring-boot-starter-thymeleaf:2.1.18.RELEASE org.springframework.boot:spring-boot-starter-web:2.1.18.RELEASE org.springframework.boot:spring-boot-starter-test:2.1.18.RELEASE org.springframework.retry:spring-retry:1.3.1 org.springframework.security:spring-security-config:5.1.13.RELEASE org.springframework.security:spring-security-core:5.1.13.RELEASE org.springframework.security:spring-security-ldap:5.1.13.RELEASE org.springframework.security:spring-security-web:5.1.13.RELEASE org.springframework.security.oauth:spring-security-oauth2:2.3.8.RELEASE org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.18.RELEASE

【本文地址】

公司简介

联系我们