0

我将 Auth0 用于我的身份验证服务。我有一个与 springboot API 通信的 Web 应用程序。我正在尝试使用 Auth0 jwt 令牌验证对我的 API 资源的访问。下面是我的实现。

我的 Auth0 JS 网络应用程序

var options = {
    allowAutocomplete: true,
    autoclose: true,
    container: 'login-auth',
    theme: {
        logo: 'http://palermoinn.com/wp-content/uploads/2015/12/pullman_palermoinn.png',
        primaryColor: '#009688',
        foregroundColor: "#009688",
        labeledSubmitButton: false,
    },
    auth: {
        audience: 'https://xxx.auth0.com/userinfo',
        responseType: 'token id_token',
        params: {
            state: 'into',
            scope: 'openid email profile roles'
        }
    },
    redirectUri: window.location.href,
    languageDictionary: {
        title: "Log In"
    }
};

// console.log(constants.CLIENT_ID + " or " + constants.VERIFY_URL + " or " + constants.TYPE_GET);

var lock = new Auth0Lock(
    'CLIENT_ID',
    'xxx.auth0.com',
    options
);

if (token == null && profile == null) {
        lock.show();
    } else {
        var HEADER = {
            token: token,
            timeStamp: new Date().getTime(),
            access: profile
        }
        console.log(JSON.stringify(HEADER));
        /**
            * This request would first request a token from the Auth0 Server
            * The token is returned and that token is used to access API resource 
            */
        network.call(constants.STATS_URL + '1', constants.TYPE_GET, {}, token);
        // window.location.href = "dashboard.html";
    }

从我的 springboot Web 安全配置中,我实现了以下

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("http://localhost"));
    configuration.setAllowedMethods(Arrays.asList("GET", "POST"));
    configuration.setAllowCredentials(true);
    configuration.addAllowedHeader("Authorization");
    configuration.addAllowedHeader("cache-control");
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors();
    JwtWebSecurityConfigurer
            .forRS256(AUTH_AUD, AUTH_ISSUER)
            .configure(http)
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/v1/clients/stats/{userId}").authenticated();
}

我现在的问题是我设计的 Springboot Web 配置不会使用我在标头中传递的令牌来验证我的请求。它不断给我一个 401 未经授权的响应。我究竟做错了什么?

4

0 回答 0