@EnableOAuth2Sso 不检查令牌是否已过期

Question

我已经在我的资源服务和 ui 前面实现了一个网关作为 oauth2 客户端。一切都很好，除非我收到令牌过期

<oauth>
    <error_description>bfc5a9f6-0537-4ab9-91c1-e756501b429d</error_description>
    <error>invalid_token</error>
</oauth>

检查日志我发现网关认为用户已通过身份验证，因为会话已经存在

2017-06-21 09:17:34.311 DEBUG 32482 --- [nio-8080-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@a80f4caf: Principal: user; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: ROLE_ACTUATOR, ROLE_USER
2017-06-21 09:17:34.311 DEBUG 32482 --- [nio-8080-exec-6] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1aaae9c5, returned: 1

虽然我的资源服务或 UI 没有

2017-06-21 09:17:34.532  WARN 32484 --- [nio-9001-exec-1] o.s.b.a.s.o.r.UserInfoTokenServices      : Could not fetch user details: class org.springframework.security.oauth2.client.resource.UserRedirectRequiredException, A redirect is required to get the users approval

网关配置

@SpringBootApplication
@EnableDiscoveryClient
@EnableZuulProxy
public class GatewayApplication {

    public static void main(String[] args) {
        SpringApplication.run(GatewayApplication.class, args);
    }
}

@Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf()
                .disable()
                .authorizeRequests()
                .anyRequest().authenticated();

    }

}

security:
  oauth2:
    client:
      accessTokenUri: http://localhost:9191/uaa/oauth/token
      userAuthorizationUri: http://localhost:9191/uaa/oauth/authorize
      clientId: acme
      clientSecret: acmesecret
    resource:
      user-info-uri: http://localhost:9191/uaa/user
      prefer-token-info: false
zuul:
  ignored-services: '*'
  routes:
    authserver: /uaa/**
    resource-service: /resource/**
    ui:
      path: /ui/**
      strip-prefix: false

UI 配置或任何资源服务器

@SpringBootApplication
@EnableDiscoveryClient
@EnableResourceServer
public class UiApplication {

    public static void main(String[] args) {
        SpringApplication.run(UiApplication.class, args);
    }
}

security:
  oauth2:
    resource:
      user-info-uri: http://localhost:9191/uaa/user
server:
  port: 9001
  context-path: /${spring.application.name}

我确实期望并尝试做的是网关检查令牌是否有效以及它是否没有将用户重定向到登录页面或使用刷新令牌来更新令牌？

Answer 1

在 gitter 上与 @dave-syer 交谈后，他告诉我我们需要在网关内声明 OAuth2RestOperations，因为它不是默认在 spring-boot 中创建的，并且需要在 @987654321 中请求刷新令牌@

所以只需添加以下内容即可解决所有问题

 @Bean
 public OAuth2RestOperations oAuth2RestOperations(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
    OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(details, oauth2ClientContext);
    return oAuth2RestTemplate;
}