问题描述
在响应式Spring Webflux服务中,我将端点配置为受OAuth2资源服务器保护.当我首次启动服务器时,它会正确验证Bearer令牌,但是大约30秒后,完全相同的请求开始失败,并显示以下错误:
In a reactive spring webflux service, I have the endpoints configured to be protected by OAuth2 resource server. When I first launch the server, it validates the Bearer tokens properly but after about 30 seconds, the exact same requests begin failing with the following error:
error="invalid_token"
error_description="This iss claim is not equal to the configured issuer"
error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
我已验证令牌有效,并且iss声明似乎与spring.security.oauth2.resourceserver.jwt.issuer-uri中配置的相同.如果配置不正确,那么我将没有有效的请求.
I've verified that the token is valid and that the iss claim appears to be the same as what is configured in spring.security.oauth2.resourceserver.jwt.issuer-uri. If this wasn't configured properly, then I would be getting no valid requests.
经过仔细检查,我发现错误是由于iss声明与预期URL的URL比较引起的,因为InetAddress.getAddress()在最初的30秒内匹配,但随后不匹配.这使用的是Azure AD提供程序终结点https://sts.windows.net/{{tenantId}}/,并且我已验证URL 字符串是否匹配,只是内部地址不匹配.可能是什么原因造成的?在最初的30秒后,如何与有效的发卡行一起验证令牌?谢谢.
Upon closer inspection, I've found that the error stems from the URL comparison of the iss claim and the expected URL in that the InetAddress.getAddress() match for the first 30 seconds, but then do not match. This is using an Azure AD provider endpoint https://sts.windows.net/{{tenantId}}/ and I've verified that the URL strings match, just not the internal addresses. What might be causing this and how can I validate tokens with valid issuers after the initial 30 seconds? Thanks.
作为参考,这是我的SecurityWebFilterChain:
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.csrf().disable()
.authorizeExchange().anyExchange().authenticated()
.and().oauth2ResourceServer().jwt().and()
.and().build();
}
包括的分级实现:
org.springframework.boot:spring-boot-starter-security:2.1.0.RC1
org.springframework.boot:spring-boot-starter-webflux:2.1.0.RC1
org.springframework.security:spring-security-oauth2-resource-server:5.1.1.RELEASE
org.springframework.security:spring-security-oauth2-jose:5.1.1.RELEASE
推荐答案
看起来像这样输入为问题 #6073 在spring-security中,并已在 c70b65c .目前计划在5.1.2.RELEASE或5.2.0.M1中解决该问题.
Looks like this was entered as issue #6073 in spring-security and was resolved in c70b65c. It's currently slated to be resolved in 5.1.2.RELEASE or 5.2.0.M1.
提交的解决方案将URL更改为字符串,这使得除消除阻塞的DNS查找调用之外,相等性检查更加可靠.
The solution committed changed the URL to a String which allowed for the equality check to be more reliable in addition to removing the blocking DNS lookup call.
这篇关于Spring Security OAuth2在30秒后无法通过发行者验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!