我将 Auth0 用于我的身份验证服务。我有一个与 springboot API 通信的 Web 应用程序。我正在尝试使用 Auth0 jwt 令牌验证对我的 API 资源的访问。下面是我的实现。
我的 Auth0 JS 网络应用程序
var options = {
allowAutocomplete: true,
autoclose: true,
container: 'login-auth',
theme: {
logo: 'http://palermoinn.com/wp-content/uploads/2015/12/pullman_palermoinn.png',
primaryColor: '#009688',
foregroundColor: "#009688",
labeledSubmitButton: false,
},
auth: {
audience: 'https://xxx.auth0.com/userinfo',
responseType: 'token id_token',
params: {
state: 'into',
scope: 'openid email profile roles'
}
},
redirectUri: window.location.href,
languageDictionary: {
title: "Log In"
}
};
// console.log(constants.CLIENT_ID + " or " + constants.VERIFY_URL + " or " + constants.TYPE_GET);
var lock = new Auth0Lock(
'CLIENT_ID',
'xxx.auth0.com',
options
);
if (token == null && profile == null) {
lock.show();
} else {
var HEADER = {
token: token,
timeStamp: new Date().getTime(),
access: profile
}
console.log(JSON.stringify(HEADER));
/**
* This request would first request a token from the Auth0 Server
* The token is returned and that token is used to access API resource
*/
network.call(constants.STATS_URL + '1', constants.TYPE_GET, {}, token);
// window.location.href = "dashboard.html";
}
从我的 springboot Web 安全配置中,我实现了以下
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://localhost"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST"));
configuration.setAllowCredentials(true);
configuration.addAllowedHeader("Authorization");
configuration.addAllowedHeader("cache-control");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors();
JwtWebSecurityConfigurer
.forRS256(AUTH_AUD, AUTH_ISSUER)
.configure(http)
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/v1/clients/stats/{userId}").authenticated();
}
我现在的问题是我设计的 Springboot Web 配置不会使用我在标头中传递的令牌来验证我的请求。它不断给我一个 401 未经授权的响应。我究竟做错了什么?