我正在使用 grails“Spring Security OAuth Provider”插件。而且我能够在以下 URL 的响应中获得访问代码。
http://localhost:8080/oauthServer/oauth/authorize?response_type=code&client_id=test_client&scope=read&redirect_uri=http://example.com?
但是,当我使用以下 URL通过访问代码发送获取访问令牌的请求时,我收到“访问此资源需要完全身份验证”错误消息。
curl -header "Authorization: Basic bnVkZ2VDbGllbnQ6YjRkNzA3NmE3YTA4N2E4MWMzMTE2ZjZlNWQzZWY0MDJjNmQ4ZjM3Nw==" http://localhost:8080/oauthServer/oauth/token?grant_type=authorization_code&code=kuH8aC
笔记: base64(client_id:client_secret)=bnVkZ2VDbGllbnQ6YjRkNzA3NmE3YTA4N2E4MWMzMTE2ZjZlNWQzZWY0MDJjNmQ4ZjM3Nw==
完整的错误信息如下。
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
我错过了什么。请建议。
谢谢
更新 1
实际上,我正在关注 Spring security oauth provider plugin 的文档。
有我的配置设置。
// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'com.oauth.Client'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'com.oauth.AuthorizationCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'com.oauth.AccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'com.oauth.RefreshToken'
grails.plugin.springsecurity.logout.postOnly = false
//grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/client/index'
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.auth.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.auth.UserRole'
grails.plugin.springsecurity.authority.className = 'com.auth.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/oauth/authorize.dispatch': ["isFullyAuthenticated() and (request.getMethod().equals('GET') or request.getMethod().equals('POST'))"],
'/oauth/token.dispatch': ["isFullyAuthenticated() and request.getMethod().equals('POST')"],
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/assets/**': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll']
]
grails.plugin.springsecurity.providerNames = [
'clientCredentialsAuthenticationProvider',
'daoAuthenticationProvider',
'anonymousAuthenticationProvider',
'rememberMeAuthenticationProvider'
]
grails.exceptionresolver.params.exclude = ['password', 'client_secret']
grails.plugin.springsecurity.filterChain.chainMap = [
'/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter',
'/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter',
'/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter'
]
我的控制器是默认控制器。
@Secured(["#oauth2.clientHasRole('ROLE_CLIENT')"])
def clientRoleExpression() {
render "client role expression"
}
@Secured(["ROLE_CLIENT"])
def clientRole() {
render "client role"
}
@Secured(["#oauth2.clientHasAnyRole('ROLE_CLIENT', 'ROLE_TRUSTED_CLIENT')"])
def clientHasAnyRole() {
render "client has any role"
}
@Secured(["#oauth2.isClient()"])
def client() {
render "is client"
}
@Secured(["#oauth2.isUser()"])
def user() {
// code
}
@Secured(["#oauth2.isUser()"])
def getSubscriptionDetail() {
//code
}
@Secured(["#oauth2.isUser()"])
def getHistory(){
//code
}
@Secured(["#oauth2.denyOAuthClient()"])
def denyClient() {
render "no client can see"
}
@Secured(["permitAll"])
def anyone() {
render "anyone can see"
}
def nobody() {
render "nobody can see"
}
@Secured(["#oauth2.clientHasRole('ROLE_TRUSTED_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('trust')"])
def trustedClient() {
render "trusted client"
}
@Secured(["hasRole('ROLE_USER') and #oauth2.isUser() and #oauth2.hasScope('trust')"])
def trustedUser() {
render "trusted user"
}
@Secured(["hasRole('ROLE_USER') or #oauth2.hasScope('read')"])
def userRoleOrReadScope() {
render "user role or read scope"
}