我正在使用 auth0-angular 获取 getAccessTokenSilently() 并使用
authorization: Bearer blablabla当我尝试使用此标头发出请求时,我的 Spring 安全配置开始抛出错误。
我得到的错误:
Caused by: org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: class com.nimbusds.jose.JWEHeader cannot be cast to class com.nimbusds.jose.JWSHeader (com.nimbusds.jose.JWEHeader and com.nimbusds.jose.JWSHeader are in unnamed module of loader 'app')
安全配置:
@EnableWebFluxSecurity
@Configuration
public class SecurityConfig {
@Value("${spring.security.oauth2.resourceserver.jwk.issuer-uri}")
private String issuerUri;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http){
http.authorizeExchange()
.pathMatchers(HttpMethod.GET,"/inventory/**").authenticated()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
@Bean
public ReactiveJwtDecoder jwtDecoder() {
return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
}
}
我的设置有问题吗?我遵循了 https://auth0.com/blog/introduction-getting-started-with-spring-webflux-api/
的 spring 设置您是否已将 Angular 配置为发送受众参数?如果不这样做,则返回的访问令牌不是 JWT。您可以将访问令牌复制/粘贴到 jwt.io 中以查看它是否有效。这是观众应该看到的配置。
const config = {
domain: 'dev-06bzs1cu.us.auth0.com',
clientId: 'y3RlJzTl68eZOQyGqA0yGiJla7fyaZ88',
authorizationParams: {
audience: 'https://dev-06bzs1cu.us.auth0.com/api/v2/',
redirect_uri: window.location.origin + '/home'
},
httpInterceptor: {
allowedList: ['http://localhost:8080/*']
},
};