我正在使用 Postman 从 vanilla AEM 安装中测试 OAuth 2。
在我授予访问权限后,Postman 可以从 /oauth/authorize 成功获取授权码:
但是当它尝试使用代码从 /oauth/token 获取令牌时,它会收到以下响应:
HTTP 错误:403 访问 /oauth/token 时出现问题。原因:禁止由 Jetty 提供支持://
在 Fiddler 中,它正在对 /oauth/token 进行 POST,正文中包含以下名称/值:
client_id:来自 /libs/granite/oauth/content/client.html 的客户端 ID
client_secret:来自 /libs/granite/oauth/content/client.html 的客户端密钥
redirect_uri: https ://www.getpostman.com/oauth2/callback
授权类型:授权代码
代码:从上一个请求返回到 oauth/authorize 的代码
我错过了什么吗?
如果您可以列出一些有关如何构建 url 和获取令牌的代码片段,将会有所帮助。
这是一个示例,说明我们如何实现与您尝试做的非常相似,也许它会有所帮助。
定义如下所示的服务(片段)并在 OSGI 中定义值(主机、url 等)(或者您也可以对它们进行硬编码以用于测试目的)
@Service(value = OauthAuthentication.class)
@Component(immediate = true, label = "My Oauth Authentication", description = "My Oauth Authentication", policy = ConfigurationPolicy.REQUIRE, metatype = true)
@Properties({
@Property(name = Constants.SERVICE_VENDOR, value = "ABC"),
@Property(name = "service.oauth.host", value = "", label = "Oauth Host", description = "Oauth Athentication Server"),
@Property(name = "service.oauth.url", value = "/service/oauth/token", label = "Oauth URL", description = "Oauth Authentication URL relative to the host"),
@Property(name = "service.oauth.clientid", value = "", label = "Oauth Client ID", description = "Oauth client ID to use in the authentication procedure"),
@Property(name = "service.oauth.clientsecret", value = "", label = "Oauth Client Secret", description = "Oauth client secret to use in the authentication procedure"),
@Property(name = "service.oauth.granttype", value = "", label = "Oauth Grant Type", description = "Oauth grant type") })
public class OauthAuthentication {
...
@Activate
private void activate(ComponentContext context) {
Dictionary<String, Object> properties = context.getProperties();
host = OsgiUtil.toString(properties, PROPERTY_SERVICE_OAUTH_HOST,new String());
// Similarly get all values
url =
clientID =
clientSecret =
grantType =
authType = "Basic" + " "+ Base64.encode(new String(clientID + ":" + clientSecret));
}
public static void getAuthorizationToken(
try {
UserManager userManager = resourceResolver.adaptTo(UserManager.class);
Session session = resourceResolver.adaptTo(Session.class);
// Getting the current user
Authorizable auth = userManager.getAuthorizable(session.getUserID());
user = auth.getID();
password = ...
...
...
String serviceURL = (host.startsWith("http") ? "": protocol + "://") + host + url;
httpclient = HttpClients.custom().build();
HttpPost httppost = new HttpPost(serviceURL);
// set params
ArrayList<BasicNameValuePair> formparams = new ArrayList<BasicNameValuePair>();
formparams.add(new BasicNameValuePair("username", user));
formparams.add(new BasicNameValuePair("password", password));
formparams.add(new BasicNameValuePair("client_id", clientID));
formparams.add(new BasicNameValuePair("client_secret",clientSecret));
formparams.add(new BasicNameValuePair("grant_type",grantType));
UrlEncodedFormEntity postEntity = new UrlEncodedFormEntity(formparams, "UTF-8");
httppost.setEntity(postEntity);
// set header
httppost.addHeader("Authorization", authType);
response = httpclient.execute(httppost);
HttpEntity entity = response.getEntity();
if (response.getStatusLine().getStatusCode() == 200) {
if (entity != null) {
object = new JSONObject(EntityUtils.toString(entity));
}
if (object != null) {
accessToken = object.getString("access_token");
////
}
}
}
我自己找到了答案,并认为我会分享我经历的过程以及答案,因为它可能会帮助其他刚接触 AEM 的人。
如何查找错误原因:
从这里我能够看到问题的原因:
org.apache.sling.security.impl.ReferrerFilter 拒绝对 /oauth/token 的 POST 请求的空引用者标头
因为邮递员没有在请求标头中放置引用者,所以我不得不告诉 Apache Sling 允许空请求标头。
去做这个:
允许它列出允许的主机的好方法,否则这违反了 AEM 安全清单的最佳实践。
它适用于开发环境而不是生产环境。