我的登录端点可以重定向到 redirect_uri,但我找不到如何获取代码和状态所以它变成了
"redirect:" + savedRequest.getParameterValues("redirect_uri") + "&code=" + code + "&state" = state;
登录端点
@PostMapping("/login")
public String login(final HttpServletRequest request, String username) {
authService.authenticate(username);
SavedRequest savedRequest: = request.session.getAttribute("SPRING_SECURITY_SAVED_REQUEST") as SavedRequest;
return "redirect:" + savedRequest.getParameterValues("redirect_uri");
// it's missing state and code. state can be found in savedRequest, but how to find the code and is there a better way?
}
安全配置
@Autowired
private lateinit var passwordEncoder: PasswordEncoder
@Bean
@Order(1)
fun authorizationServerSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http)
http.getConfigurer(OAuth2AuthorizationServerConfigurer::class.java)
.oidc(Customizer.withDefaults())
http
.exceptionHandling { exceptions ->
exceptions.authenticationEntryPoint(LoginUrlAuthenticationEntryPoint ("/login"))
}
.oauth2ResourceServer {
it.jwt()
}
return http.build()
}
@Bean
fun authorizationServerSettings(): AuthorizationServerSettings {
return AuthorizationServerSettings.builder().build()
}
@Bean
fun authorizationService(): OAuth2AuthorizationService {
return InMemoryOAuth2AuthorizationService()
}
@Bean
fun registeredClientRepository(): RegisteredClientRepository {
val registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("oauth-dev")
.clientSecret(passwordEncoder.encode("secret"))
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("https://example.com")
.clientSettings(ClientSettings.builder()
.requireAuthorizationConsent(false)
.requireProofKey(false).build())
.build()
return InMemoryRegisteredClientRepository(registeredClient)
}
@Bean
fun jwkSource(): JWKSource<SecurityContext> {
val rsaKey = Jwks.generateRsa()
val jwkSet = JWKSet(rsaKey)
return JWKSource { jwkSelector: JWKSelector, securityContext: SecurityContext? -> jwkSelector.select(jwkSet) }
}
@Bean
fun jwtDecoder(jwkSource: JWKSource<SecurityContext>): JwtDecoder {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource)
}
我可以看到 OAuth2AuthorizationCodeRequestAuthenticationToken 有一个属性 authorizationCode,但它是 null
class AuthenticationSuccessEventListener : ApplicationListener<AuthenticationSuccessEvent> {
override fun onApplicationEvent(e: AuthenticationSuccessEvent) {
if (e.authentication is OAuth2AuthorizationCodeRequestAuthenticationToken) {
val token = e.authentication as OAuth2AuthorizationCodeRequestAuthenticationToken
logger.info("Successful authentication: ${e.authentication}")
}
您的问题询问“如何在身份验证代码流中登录后获取重定向的状态和代码”,但没有提及用户的实际身份验证方式,或者授权端点是否已成功调用。您的登录端点似乎没有对用户进行身份验证,因此我不清楚它应该如何工作。
我可以看到 OAuth2AuthorizationCodeRequestAuthenticationToken 有一个属性 authorizationCode,但它是 null
根据您描述的问题,听起来您还没有实际调用
/oauth2/authorize
端点并生成 authorization_code
,所以这是下一步。
您在验证用户身份后检索的已保存请求实际上是对
/oauth2/authorize
端点的请求。您还没有 code
和 state
参数,因为它们是由授权端点创建/管理的。因此,您只需从 savedRequest.getRedirectUrl()
重定向到 SavedRequest
,您就可以开始了。
您可以(并且可能应该)使用
HttpSessionRequestCache
而不是直接访问会话,如下所示:
private RequestCache requestCache = new HttpSessionRequestCache();
// ...
SavedRequest savedRequest = this.requestCache.getRequest(request, response);
String redirectUrl = savedRequest.getRedirectUrl();
注意: 从你的问题中不清楚
redirectUrl
不起作用,但似乎你在这里期待错误的东西。
如果这还不是很清楚,请添加更多详细信息,说明您的登录端点正在做什么,以及当您从
redirectUrl
重定向到 SavedRequest
时什么不起作用。