我正在开发一个带有 React 前端和 NestJS 后端的 unity asset store。 授权是使用Auth0实现的。前端是单页应用程序 (SPA),而后端,如前所述,利用 JwtUserGuard 来检查令牌。
我基本上是在尝试创建一个验证用户 ID 的防护程序,以便为用户提供访问权限。以下是 RolesGuard:
@Injectable()
export class RolesGuard implements CanActivate {
constructor(
private readonly httpService: HttpService,
private readonly reflector: Reflector,
private readonly jwtService: JwtService,
) {
}
async canActivate(context: ExecutionContext) {
const token = context.switchToHttp().getRequest().headers.authorization.replace('Bearer ', '');
const sub = this.jwtService.decode(token).sub;
const userRole = (await this.httpService.axiosRef.get(
`https://_____________________/api/v2/users/${sub}/roles`,
{
headers: {'Authorization': `Bearer ${token}`}
}
));
const role = this.reflector.get<string>(ROLES_KEY, context.getHandler())[0];
return role === userRole.data
}
}
使用来自 Auth0 管理 API 的测试访问令牌一切正常,但是当我尝试从前端获取访问令牌时 (参考下面的index.js):
const root = ReactDOM.createRoot(document.getElementById('root'));
root.render(
<Auth0Provider
domain="{myDomain}"
clientId="{myClientId}"
authorizationParams={{
redirect_uri: window.location.origin,
audience: "https://{myDomain}/api/v2/",
scope: "read:current_user update:current_user_metadata"
}}
>
<App/>
</Auth0Provider>
);
Profile.js
...
const accessToken = await getAccessTokenSilently({
authorizationParams: {
audience: `https://${domain}/api/v2/`,
scope: "read:current_user",
},
});
...
并尝试将其传递到我的端点,我收到以下错误:
{
"statusCode": 403,
"error": "Forbidden",
"message": "Insufficient scope, expected any of: read:users,read:roles,read:role_members",
"errorCode": "insufficient_scope"
}
查看访问令牌范围可以发现以下内容:
"scope": "openid read:current_user update:current_user_metadata"
事实证明,
read:users,read:roles,read:role_members
必须添加到authorizationParams
的Auth0Provider
范围内。
这是首要问题。我尝试通过以下方式在此处添加范围:
const root = ReactDOM.createRoot(document.getElementById('root'));
root.render(
<Auth0Provider
domain="{myDomain}"
clientId="{myClientId}"
authorizationParams={{
redirect_uri: window.location.origin,
audience: "https://{myDomain}/api/v2/",
scope: "read:current_user update:current_user_metadata read:users read:roles read:role_members"
}}
>
<App/>
</Auth0Provider>
);
但我的访问令牌范围保持不变。我真的不明白范围是如何工作的。我浏览了 auth0 文档来查找有关此问题的有用信息,但结果并没有多大帮助。
我也遇到同样的问题,请问你解决了吗?