我正在尝试让 feign Client 通过我的 Oauth2 SSO 工作
我定义了一个bean拦截器,如下
@Bean
@LoadBalanced
RequestInterceptor oauthFeignClient(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
return new OAuth2FeignRequestInterceptor(oauth2ClientContext, details);
}
但我面临这个异常:
feign.FeignException: status 401 reading AppClientFeign#getApps(); content: {"error":"invalid_token","error_description":"9d8eb02c-7005-487e-b28f-19417e5fea51"}
我不知道为什么我会得到这个
这是我的身份验证服务器
@Configuration
static class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("login").setViewName("login");
registry.addViewController("/oauth/confirm_access").setViewName("authorize");
registry.addViewController("/").setViewName("index");
}
}
@Configuration
static class LoginConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login").permitAll()
.and().logout().clearAuthentication(true).invalidateHttpSession(true).logoutUrl("/exit").logoutSuccessUrl("http://localhost:9999/client").permitAll()
.and()
.authorizeRequests()
.antMatchers("/","/exit","/graphics/**", "/login", "/oauth/authorize", "/oauth/confirm_access").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic().disable().csrf().disable();
}
@Autowired
MDSUserDetailService mdsUserServiceDetail;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(mdsUserServiceDetail).passwordEncoder(passwordEncoder());
}
}
和我的 yaml 配置
security:
oauth2:
client:
client-id: xxx
client-secret: xxx
scope: read, write
auto-approve-scopes: .*
authorization:
check-token-access: permitAll()
这是我的客户
@SpringBootApplication
@EnableOAuth2Sso
@EnableEurekaClient
@EnableDiscoveryClient
@EnableFeignClients
@EnableWebSecurity
public class ClientApplication extends WebSecurityConfigurerAdapter{
public static void main(String[] args) {
SpringApplication.run(ClientApplication.class, args);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.logout()
.logoutSuccessUrl("http://localhost:9999/uaa/exit");
http.authorizeRequests().antMatchers("graphics/**").permitAll().
and().authorizeRequests().anyRequest().authenticated();
}
@Bean
@LoadBalanced
RequestInterceptor oauthFeignClient(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
return new OAuth2FeignRequestInterceptor(oauth2ClientContext, details);
}
@Bean
@LoadBalanced
OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) {
return new OAuth2RestTemplate(details, oauth2ClientContext);
}
@Profile("!cloud")
@Bean
RequestDumperFilter requestDumperFilter() {
return new RequestDumperFilter();
}
}
Feign 客户端界面
@FeignClient("USERS-MANAGER")
public interface UserClientFeign {
@GetMapping("/users/info")
public User getUserDetails(@RequestParam("username") String username);
}
我的客户端的 yml 配置
security:
basic:
enabled: false
oauth2:
client:
client-id: xxx
client-secret: xxx
access-token-uri: ${auth-server}/oauth/token
user-authorization-uri: ${auth-server}/oauth/authorize
scope: read, write
resource:
token-info-uri: ${auth-server}/oauth/check_token
最后是我的资源
@SpringBootApplication
@EnableResourceServer
@EnableEurekaClient
@RestController
public class ResourceApplication extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.antMatchers(HttpMethod.GET, "/users/**").access("#oauth2.hasScope('read')")
.antMatchers(HttpMethod.POST, "/users/**").access("#oauth2.hasScope('write')");
}
public static void main(String[] args) {
SpringApplication.run(ResourceApplication.class, args);
}
@Profile("!cloud")
@Bean
RequestDumperFilter requestDumperFilter() {
return new RequestDumperFilter();
}
}
yml配置
spring.application.name: USERS-MANAGER
server:
port: 0
ribbon:
eureka:
enabled: true
eureka.client.service-url.defaultZone: http://localhost:8761/eureka/
security:
oauth2:
resource:
token-info-uri: http://localhost:9999/uaa/oauth/check_token
client:
client-id: xxx
client-secret: xxx
浏览器异常
Thu Sep 13 14:19:52 BST 2018 There was an unexpected error (type=Internal Server Error, status=500). status 401 reading AppClientFeign#getApps(); content: {"error":"invalid_token","error_description":"9d8eb02c-7005-487e-b28f-19417e5fea51"}
最佳答案
如果没有任何详细描述,很难找出 token 无效的原因。可能是 token 过期太快(由于您的 token TTL 设置),或者 token 的授予类型,或者 token 的范围与资源服务器所需的不同。
您可能希望在OAuth2AuthenticationProcessingFilter#doFilter()
中的多个点添加断点,并查看从 oauth2 提供程序获取的值是什么,并将其与客户端正在使用的 token 值进行比较。特别是看看 authenticationManager.authenticate(authentication);
关于java - Feign Oauth2 客户端 token 异常,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52315046/