【发布时间】:2018-10-05 09:19:17
【问题描述】:
我有一个授权服务器,它会发出我可以针对我的资源使用的令牌。但是,我希望我的资源能够对其他资源进行 REST 调用。为此,我复制了此链接并能够生成 JWT 令牌: Need to create oAuth2 token manually without password
我注意到当针对休息端点和手动请求时,令牌略有不同。 例如 自动
{
"access_token":"really long string about 1000+ characters"
"token_type":"bearer",
"expires_in":43199,
"scope":"read write"
}
对比手册
{
"access_token": "be662sdf574-787f-4ff7-8d9b-a1ce7520sdf643d",
"token_type": "bearer",
"refresh_token": "8fe69sdf6cc-5d94-4d80-8b3c-736dcabsdf9f70a",
"expires_in": 43199,
"scope": "read write"
}
资源将接受更长的 access_token 并且它可以手动生成自己的。我对同一个资源服务器使用手动创建的令牌,它失败了。有人可以帮助指出我缺少导致此无效令牌的原因吗?只是为了重新迭代,资源服务器接受自动生成的令牌而不是手册
@Component
public class AccessToken{
@Value("${signingKey}")
private String signingKey;
@Value("${scopeRead}")
private String scopeRead;
@Value("${scopeWrite}")
private String scopeWrite;
@Value("${resourceIds}")
private String resourceIds;
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(signingKey);
return converter;
}
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
public OAuth2AccessToken token() {
Map<String, String> requestParameters = new HashMap<>();
requestParameters.put("scope", scopeWrite);
requestParameters.put("scope", scopeRead);
requestParameters.put("username", "user");
requestParameters.put("client_id", "client");
requestParameters.put("grant", "password");
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
Set<String> responseTypes = new HashSet<>();
responseTypes.add("password");
Set<String> scope = new HashSet<>();
scope.add(scopeWrite);
scope.add(scopeRead);
Set<String> resourceIdSet = new HashSet<>();
resourceIdSet.add(resourceIds);
Map<String, Serializable> extensionProperties = new HashMap<>();
User userPrincipal = new User("user", "", true, true, true, true, authorities);
OAuth2Request oAuth2Request = new OAuth2Request(requestParameters, "client",
authorities, true, scope,
resourceIdSet, "", responseTypes, extensionProperties);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userPrincipal, null, authorities);
OAuth2Authentication auth = new OAuth2Authentication(oAuth2Request, authenticationToken);
auth.setAuthenticated(true);
OAuth2AccessToken token = tokenServices().createAccessToken(auth);
return token;
}
}
【问题讨论】:
-
您拥有的“手动”令牌不是 JWT。这是一个简单的 UUID 令牌。 JWT 令牌都更长,因为它们是 JSON 对象的 base-64 编码形式。
标签: spring spring-boot spring-security oauth-2.0 spring-security-oauth2