我正在使用 WSO2 API 管理器 1.10.0,将 WSO2 Identity Server 5.1.0 配置为密钥管理器,并将 MySQL Community Server 5.6 用于数据库。当我尝试刷新使用授权代码授予类型获得的令牌(refresh_token 授予类型)时,我收到 400 Bad Request 错误(invalid_grant - 提供的授权授予无效)并且我无法获得新的令牌。然后我尝试使用 client_credentials 和密码授权类型,对于那些我能够刷新令牌的类型。
我检查了身份服务器日志,发现身份服务器尝试检索最新令牌时出现错误(以下日志)。
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID OQU0_FyRQcdvTFbygziFw67ASHwa, User ID null, Scope : [openid, profile] and Grant Type : refresh_token
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: OQU0_FyRQcdvTFbygziFw67ASHwa
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : refresh_token Strict client validation set to : null
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were available in the cache for client id : OQU0_FyRQcdvTFbygziFw67ASHwa
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : OQU0_FyRQcdvTFbygziFw67ASHwa
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler} - Error while retrieving the latest refresh token
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Invalid Grant provided by the client Id: OQU0_FyRQcdvTFbygziFw67ASHwa
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - OAuth-Error-Code=invalid_grant client-id=OQU0_FyRQcdvTFbygziFw67ASHwa grant-type=refresh_token scope=openid profile
TID: [-1234] [] [2016-12-15 12:40:06,492] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} - Running deployment synchronizer update... tenant : carbon.super
TID: [-1234] [] [2016-12-15 12:40:06,588] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} - Running deployment synchronizer commit... tenant : carbon.super
我调试了源代码,我认为问题可能与以下 SQL 查询有关,特别是与 USER_DOMAIN=null 子句有关。
SELECT ACCESS_TOKEN, REFRESH_TOKEN, TIME_CREATED, REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD, TOKEN_STATE, USER_TYPE, TOKEN_ID, SUBJECT_IDENTIFIER FROM IDN_OAUTH2_ACCESS_TOKEN WHERE CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE CONSUMER_KEY = 'OQU0_FyRQcdvTFbygziFw67ASHwa') AND AUTHZ_USER='michael.pinheiro' AND TENANT_ID=-1234 AND USER_DOMAIN=null AND TOKEN_SCOPE_HASH='369db21a386ae433e65c0ff34d35708d' ORDER BY TIME_CREATED DESC LIMIT 1
我还注意到,当使用授权码授权类型时,表 IDN_OAUTH2_ACCESS_TOKEN 中创建的访问令牌的用户域列设置为 NULL,但是当使用密码或 client_credentials 授权类型时,值是“PRIMARY”。
这可能是一个错误,还是我错过了在创建新访问令牌时以某种方式将用户域设置为 PRIMARY 的任何参数?
我写下我为重现该问题而执行的所有步骤:
第 1 步: 我通过重定向到https://identity-dev.domain.pt/oauth2/authorize?response_type=code&client_id=OQU0_FyRQcdvTFbygziFw67ASHwa&scope=openid profile&redirect_uri= http://localhost:8100来获取授权代码
第 2 步: 使用上一步中收到的代码,我通过执行以下命令获取访问令牌(和刷新令牌):
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=authorization_code&client_id=OQU0_FyRQcdvTFbygziFw67ASHwa&client_secret=3kC6Uf9f8Lr8HVl2n03dhQc57Jsa&scope=openid profile&code = fd2f827afefba0ab0b0b17f9d701ad14 "身份-dev.domain.pt/oauth2/token "
第 3 步: 使用上一步中收到的刷新令牌,我执行以下请求以获取新令牌,但是我收到了 400 错误请求,如本文所述。
curl -X POST -H "Authorization: Basic T1FVMF9GeVJRY2R2VEZieWd6aUZ3NjdBU0h3YToza0M2VWY5ZjhMcjhIVmwybjAzZGhRYzU3SnNh" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d 'grant_type=refresh_token&scope=openid profile&refresh_token=7a7da99d70d48e10ac82e3681c63b0a1' “ https://identity-dev.domain.pt/oauth2/token ”
欢迎任何帮助!