spring-security-oauth2 - Spring Security OAuth2 无法获取访问令牌

Question

我有一个 spring security oauth 客户端，它针对自定义 auth0 提供程序进行身份验证。为了获得 UserAuthorizationUri，我需要向 auth0 顶部的包装器的 rest 端点发出 post 请求。所以我扩展了 OAuth2ClientContextFilter 并使用了自定义重定向策略。现在应用程序正在重定向到身份验证提供程序，登录后，访问令牌因 CSRF 错误而失败

  2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request '/login' matched by universal pattern '/**'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@58543bda. A new one will be created.
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@af35197
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /login' doesn't match 'POST /logout
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2018-01-18 12:01:21.466 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/login'
2018-01-18 12:01:21.466 DEBUG 28785 --- [nio-8080-exec-3] uth2ClientAuthenticationProcessingFilter : Request is to process authentication
2018-01-18 12:01:21.467 DEBUG 28785 --- [nio-8080-exec-3] uth2ClientAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token

        Caused by: org.springframework.security.oauth2.common.exceptions.InvalidRequestException: Possible CSRF detected - state parameter was required but no state could be found
            at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getParametersForTokenRequest(AuthorizationCodeAccessTokenProvider.java:255) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
            at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:209) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]

应用配置

security:
  oauth2:
    client:
      clientId: xxx
      clientSecret: xxxx
      userAuthorizationUri: https://x.amazonaws.com/v1/login
      accessTokenUri: https://x.amazonaws.com/v1/getToken
      tokenName: oauth_token
      authenticationScheme: query
      clientAuthenticationScheme: form
      additional-information:
        env: test
    resource:
      userInfoUri: https://x.amazonaws.com/v1/userInfo?env=test

应用程序.java

@SpringBootApplication
@EnableOAuth2Sso
public class NauthtestApplication extends SpringBootServletInitializer {

    @Bean
    public NAuth2ClientContextFilter oauth2ClientContextFilter() {
        NAuth2ClientContextFilter filter = new NAuth2ClientContextFilter();
        return filter;
    }

    public static void main(String[] args) {
        SpringApplication.run(NauthtestApplication.class, args);
    }
}

自定义过滤器

public class NAuth2ClientContextFilter extends OAuth2ClientContextFilter implements Filter, InitializingBean {

自定义重定向策略

public class NAuthRedirectStrategy  implements RedirectStrategy {

    private String clientId="xxx";

    @Override
    public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {

        System.out.println("Reached the custom redirect strategy");

        NAuthLoginRequest loginRequest = new NAuthLoginRequest();
        loginRequest.setClientId(clientId);
        loginRequest.setEnv("test");
        loginRequest.setClaims(Arrays.asList("user","groups"));
        loginRequest.setCallbackUrl("http://localhost:8080/login");

        HttpHeaders headers = new HttpHeaders();
        headers.setContentType(MediaType.APPLICATION_JSON);
        RestTemplate restTemplate = new RestTemplate();
        ObjectMapper mapper = new ObjectMapper();
        HttpEntity<String> loginRestRequest = new HttpEntity<String>(mapper.writeValueAsString(loginRequest), headers);

        ResponseEntity<String> loginResponse = restTemplate.exchange(url, HttpMethod.POST,loginRestRequest, String.class);
        System.out.println("Login Response redirect url is " + loginResponse.getBody());
        String redirectUrl = loginResponse.getBody().substring(1,loginResponse.getBody().length()-1);;
        response.sendRedirect(redirectUrl);

    }