我可以看到登录名,但在输入用户名和密码后,它会重定向到 http://localhost:9000/error?continue。
我正在尝试做代码流 + PKCE,我几乎遵循了我从互联网上找到的每一个例子,但仍然做不到。
重现行为的步骤。
授权服务器在https://github.com/mgonzaga1990/spring-oauth2-angular/tree/main/services/authorization 角度项目在https://github.com/mgonzaga1990/spring-oauth2-angular/tree/main/ui
@Bean
public CorsConfigurationSource corsConfigurationSource(){
var configuration = new CorsConfiguration();
configuration.addAllowedHeader("*");
configuration.addAllowedMethod("*");
configuration.addAllowedOrigin("*");
var source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**",configuration);
return source;
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
// return new BCryptPasswordEncoder();
}
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain asSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.oidc(Customizer.withDefaults())
.and().cors(Customizer.withDefaults());
return http.build();
}
@Bean
@Order(2)
public SecurityFilterChain appSecurityFilterChain(HttpSecurity http) throws Exception {
// http.authorizeHttpRequests().anyRequest().authenticated();
// return http.build();
http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry.anyRequest().authenticated())
.cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.configurationSource(corsConfigurationSource()))
.formLogin();
return http.build();
}
@Bean
public RegisteredClientRepository registeredClientRepository() {
// var registeredClient = RegisteredClient.withId("e4a295f7-0a5f-4cbc-bcd3-d870243d1b05")
// .clientId("huongdanjava1")
// .clientSecret("secret")
// .scope("read")
// .redirectUri("https://oidcdebugger.com/debug")
// .redirectUri("https://oauthdebugger.com/debug")
// .redirectUri("https://springone.io/authorized")
// .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
// .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
// .tokenSettings(TokenSettings.builder().build())
// .build();
var registeredClient = RegisteredClient.withId("e4a295f7-0a5f-4cbc-bcd3-d870243d1b05")
.clientId("public_client")
.clientSecret("{noop}obscura")
.scope(OidcScopes.OPENID)
.scope(OidcScopes.EMAIL)
.scope(OidcScopes.PROFILE)
.redirectUri("https://oidcdebugger.com/debug")
.redirectUri("https://oauthdebugger.com/debug")
.redirectUri("https://springone.io/authorized")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.clientSettings(ClientSettings.builder()
.requireAuthorizationConsent(false)
.requireProofKey(true)
.build())
.build();
return new InMemoryRegisteredClientRepository(registeredClient);
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails userDetails = User.withUsername("admin")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(userDetails);
}
@Bean
public AuthorizationServerSettings authorizationServerSettings() {
return AuthorizationServerSettings.builder().build();
}
import { AuthConfig,OAuthService } from 'angular-oauth2-oidc';
export const authCodeFlowConfig: AuthConfig = {
// Url of the Identity Provider
issuer: 'http://localhost:9000',
disablePKCE: false,
sessionChecksEnabled: false,
// URL of the SPA to redirect the user to after login
redirectUri: window.location.origin ,
// The SPA's id. The SPA is registerd with this id at the auth-server
// clientId: 'server.code',
clientId: 'public-client',
// Just needed if your auth server demands a secret. In general, this
// is a sign that the auth server is not configured with SPAs in mind
// and it might not enforce further best practices vital for security
// such applications.
// dummyClientSecret: 'secret',
responseType: 'code',
// set the scope for the permissions the client should request
// The first four are defined by OIDC.
// Important: Request offline_access to get a refresh token
// The api scope is a usecase specific one
scope: 'openid profile email',
showDebugInformation: true,
};
@Injectable({
providedIn: 'root'
})
export class AuthConfigServiceService {
constructor(private readonly oauthService : OAuthService) {
if (!this.oauthService.hasValidIdToken()) {
this.oauthService.configure({
scope: 'openid profile email',
responseType: 'code',
oidc: true,
disablePKCE: false,
sessionChecksEnabled: false,
clientId: 'public-client',
issuer: 'http://localhost:9000', // eg. https://acme-jdo9fs.zitadel.cloud
redirectUri: 'http://localhost:4200/auth/callback',
postLogoutRedirectUri: 'http://localhost:4200/',
requireHttps: false // required for running locally
});
this.oauthService.loadDiscoveryDocument().then(() => {
this.oauthService.initCodeFlow();
});
}
}
}
不确定我遗漏了什么或者这还不支持吗?
图书馆:
"angular-oauth2-oidc": "^15.0.1",
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>1.0.1</version>
</dependency>
源码在我提供的git上
我试过了