您好, 欢迎来到 !    登录 | 注册 | | 设为首页 | 收藏本站
问答- 问题:为什么AccessTokenRequest的PreservedState永久为空,并产生与CSRF相关的InvalidRequestException?

为什么AccessTokenRequest的PreservedState永久为空,并产生与CSRF相关的InvalidRequestException?

为什么AccessTokenRequest的PreservedState永久为空,并产生与CSRF相关的InvalidRequestException?

事实证明,在所提供的代码部分中所引用的keepedState为null的原因是因为正在创建一个新的Oauth2ClientContext实例,而这恰恰是不应该发生的事- OAuth2ClientContext的整个目的就是存储状态。就OAuth2协议(RFC 6749)而言,保持状态对于跨站点请求伪造的预防非常重要(请参阅第10.12节)。

进行调试非常简单,只需启用调试日志记录,并将WSO2 IS生成输出一个工作示例中看到的进行比较。就我而言,我经常回到的工作示例是Spring团队自己提供的示例。

这是客户端配置(application.yml),然后使用Spring小组SSO服务器进行日志输出测试:

spring:
  profiles: default
security:
  oauth2:
    client:
      accessTokenUri: http://192.168.0.113:32768/uaa/oauth/token
      userAuthorizationUri: http://192.168.0.113:32768/uaa/oauth/authorize
  clientId: acme
  clientSecret: acmesecret
resource:
  jwt:
    keyValue: |
      -----BEGIN PUBLIC KEY-----
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnGp/Q5lh0P8nPL21oMMrt2RrkT9AW5jgYwLfSUnJVc9G6uR3cXRRDCjHqWU5WYwivcF180A6CWp/ireQFFBNowgc5XaA0kPpzEtgsA5YsNX7iSnUibB004iBTfU9hZ2Rbsc8cWqynT0RyN4TP1RYVSeVKvMQk4GT1r7JCEC+TNu1ELmbNwMQyzKjsfBXyIOCFU/E94ktvsTZUHF4Oq44DBylCDsS1k7/sfZC2G5EU7Oz0mhG8+Uz6MSEQHtoIi6mc8u64Rwi3Z3tscuWG2ShtsUFuNSAFNkY7LkLn+/hxLCu2bNISMaESa8dG22CIMuIeRLVcAmEWEWH5EEforTg+QIDAQAB
      -----END PUBLIC KEY-----
  id: openid
  serviceId: ${PREFIX:}resource

请注意,没有提到创建 。

DEBUG o.s.security.web.FilterChainProxy - /login?code=9HLSpP&state=G9kpy3 at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/login'
DEBUG o.s.s.o.c.f.OAuth2ClientAuthenticationProcessingFilter - Request is to process authentication
INFO  o.s.s.o.c.DefaultOAuth2ClientContext - Getting access token request
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Creating instance of bean 'scopedTarget.accessTokenRequest'
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Returning cached instance of singleton bean 'org.springframework.security.oauth2.config.annotation.web.configuration.OAuth2ClientConfiguration'
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Finished creating instance of bean 'scopedTarget.accessTokenRequest'
INFO  o.s.s.o.client.OAuth2RestTemplate - Longer lived state key: G9kpy3
INFO  o.s.s.o.client.OAuth2RestTemplate - Removing preserved state in oauth2context
INFO  o.s.s.o.c.DefaultOAuth2ClientContext - Found preserved state: http://localhost:9999/login

这是客户端配置(application.yml),然后使用WSO2IS 5.0.0进行日志输出测试:

spring:
  profiles: wso2
server:
  port: 9998
security:
  oauth2:
    client:
      accessTokenUri: https://localhost:9443/oauth2/token
      userAuthorizationUri: https://localhost:9443/oauth2/authorize
      clientId: yKSD9XwET9XJ3srGEFXP6AfHhAka
      clientSecret: zuPTcdJH435h3wgl055XNZ5ffNMa
      scope: openid
      clientAuthenticationScheme: header
    resource:
      userInfoUri: https://localhost:9443/oauth2/userinfo?schema=openid

在 的行中记下这一行。

DEBUG o.s.security.web.FilterChainProxy - /login?state=PWhQwv&code=372ff0c197a4c85a0caf070cc9a6678 at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/login'
DEBUG o.s.s.o.c.f.OAuth2ClientAuthenticationProcessingFilter - Request is to process authentication
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Creating instance of bean 'scopedTarget.oauth2ClientContext'
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Returning cached instance of singleton bean 'org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2RestOperationsConfiguration$SessionScopedConfiguration$ClientContextConfiguration'
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Finished creating instance of bean 'scopedTarget.oauth2ClientContext'
INFO  o.s.s.o.c.DefaultOAuth2ClientContext - Getting access token request
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Creating instance of bean 'scopedTarget.accessTokenRequest'
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Returning cached instance of singleton bean 'org.springframework.security.oauth2.config.annotation.web.configuration.OAuth2ClientConfiguration'
DEBUG o.s.b.f.s.DefaultListablebeanfactory - Finished creating instance of bean 'scopedTarget.accessTokenRequest'
INFO  o.s.s.o.client.OAuth2RestTemplate - Longer lived state key: PWhQwv
INFO  o.s.s.o.client.OAuth2RestTemplate - Removing preserved state in oauth2context
INFO  o.s.s.o.c.DefaultOAuth2ClientContext - Found preserved state: null

最后,调用的下一个端口自然是要确定为什么未使用WSO2 IS配置创建OAuth2ClientContext。调查表明,这是因为WSO2 IS没有传回预期的JSESSIONID,因此找不到以会话为范围的OAuth2ClientContext。

如果迫切需要解决此问题的潜在方法是克隆Spring OAuth 2并执行以下操作:

在AuthorizationCodeAccessTokenProvider类中,对hack进行以下操作以更改请求中的保留状态。

    private MultiValueMap<String, String>     getParametersForTokenRequest(AuthorizationCodeResourceDetails resource,
        AccessTokenRequest request) {

            MultiValueMap<String, String> form = new   LinkedMultiValueMap<String, String>();
            form.set("grant_type", "authorization_code");
            form.set("code", request.getAuthorizationCode());

            request.setPreservedState("http://localhost:9998/login");
            Object preservedState = request.getPreservedState();
Access 2022/1/1 18:21:26 有802人围观

撰写回答

你尚未登录,登录后可以

和开发者交流问题的细节

关注并接收问题和回答的更新提醒

参与内容的编辑和改进,让解决方法与时俱进

请先登录

推荐问题

联系我

联系我

602392714

清零编程清零编程群

置顶