1

我在 Gentics Mesh 中使用了新的 OAuth 支持,但是遇到了一个异常 - 

ecms-mesh-server     | 23:57:42.312 [] INFO  [vert.x-eventloop-thread-4] [i.v.e.w.h.i.LoggerHandlerImpl] - 192.168.16.4 - GET /api/v2/auth/me HTTP/1.1 200 587 - 7 ms
ecms-mesh-server     | 23:58:09.374 [] DEBUG [vert.x-eventloop-thread-4] [c.g.m.a.p.MeshJWTAuthProvider] - Could not authenticate token.
ecms-mesh-server     | java.lang.RuntimeException: Algorithm not supported
ecms-mesh-server     |  at io.vertx.ext.jwt.JWT.decode(JWT.java:280)
ecms-mesh-server     |  at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.authenticate(JWTAuthProviderImpl.java:122)
ecms-mesh-server     |  at com.gentics.mesh.auth.provider.MeshJWTAuthProvider.authenticateJWT(MeshJWTAuthProvider.java:90)
ecms-mesh-server     |  at com.gentics.mesh.auth.handler.MeshJWTAuthHandler.handleJWTAuth(MeshJWTAuthHandler.java:152)
ecms-mesh-server     |  at com.gentics.mesh.auth.handler.MeshJWTAuthHandler.handle(MeshJWTAuthHandler.java:89)
ecms-mesh-server     |  at com.gentics.mesh.auth.MeshAuthChain.lambda$secure$0(MeshAuthChain.java:40)
ecms-mesh-server     |  at io.vertx.ext.web.impl.RouteImpl.handleContext(RouteImpl.java:231)

我在 docker 中运行服务器,前面有一个 Spring Boot 网关,使用令牌中继过滤器。

如果我是匿名的或由 Mesh 认证,我可以通过网关很好地访问 Mesh。
但是,如果我使用 Okta 进行身份验证,并且网关将我的令牌传递给 Mesh,我会得到异常......

我添加了一个包含/config/public-keys.json我的 Okta 公钥内容的文件。

在此处输入图像描述

更新:
我可以在日志中确认我的公钥正在被提取,因为调试输出与我的/config/public-keys.json内容相匹配。 

ecms-mesh-server     | 00:19:55.101 [] DEBUG [vert.x-eventloop-thread-0] [c.g.m.a.MeshOAuth2ServiceImpl] - {
ecms-mesh-server     |   "kty" : "RSA",
ecms-mesh-server     |   "alg" : "RS256",
ecms-mesh-server     |   "kid" : "u13712iLhUmkpeREecKaQhPvZvuImdNVWGJwAmgU-SM",
ecms-mesh-server     |   "use" : "sig",
ecms-mesh-server     |   "e" : "AQAB",
ecms-mesh-server     |   "n" : "vw5G7FUjegmT_BybIfgDWr..."
ecms-mesh-server     | }
ecms-mesh-server     | 00:19:55.101 [] DEBUG [vert.x-eventloop-thread-0] [c.g.m.a.MeshOAuth2ServiceImpl] - {
ecms-mesh-server     |   "kty" : "RSA",
ecms-mesh-server     |   "alg" : "RS256",
ecms-mesh-server     |   "kid" : "DzmghgcUAcXhxL-LeF3qJqefqeQpHR4BSHUoSY7m3FU",
ecms-mesh-server     |   "use" : "sig",
ecms-mesh-server     |   "e" : "AQAB",
ecms-mesh-server     |   "n" : "4yosHHYoEW6wqqOso5qfDONqLw2MK..."
ecms-mesh-server     | }
ecms-mesh-server     | 00:19:55.102 [] DEBUG [vert.x-eventloop-thread-0] [c.g.m.a.AuthHandlerContainer] - Keys changed. Creating a new auth handler to be used.
4

1 回答 1

1

我注意到标头中令牌的“kid”参数,在公钥列表中没有匹配的“kid”。我使用了错误的授权服务器 JWK...哇。呵呵。

我有这个 - https://dev-xxxxxx.okta.com/oauth2/v1/keys

什么时候应该是这样 - https://dev-xxxxxx.okta.com/oauth2/default/v1/keys

希望这对其他人有帮助。

于 2019-10-16T05:46:10.597 回答