我正在使用 Keycloak、Pac4j 和 Shiro...
我不知道,但过了一会儿我得到一个白页并重定向到: http://localhost:8080/oauth/callback?client_name=KeycloakOidcClient&session_state=ec6f1a5c-a992-4f66-8d7e-277d05e6cc1a&iss=http%3A%2F%2Flocalhost%3A9009%2Fauth%2Frealms%2Fgixx&code=2e14eabd-7e63-4400 -a340- b6062690d97c.ec6f1a5c-a992-4f66-8d7e-277d05e6cc1a.db37becc-2ebe-4d5c-9b28-238e59ba9b73
它目前是我项目的一个亮点。
这是我的 shiro.ini:
[main]
#### Session
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
sessionIdCookie.path = /
sessionIdCookie.httpOnly = true
sessionIdCookie.name = sid
sessionIdCookie.domain = localhost
sessionIdCookie.maxAge=36000000
sessionIdCookie.secure = true
sessionIdCookie.sameSite = LAX
sessionManager =org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionIdCookie =$sessionIdCookie
sessionManager.sessionIdCookieEnabled =true
securityManager.sessionManager= $sessionManager
# 3,600,000 milliseconds = 1 hour -> set to 10 hours
sessionManager.globalSessionTimeout= 36000000
#Keycloack
oidcConfig = org.pac4j.oidc.config.KeycloakOidcConfiguration
oidcConfig.realm = gixx
oidcConfig.baseUri = http://localhost:9009/auth
oidcConfig.discoveryURI = http://localhost:9009/auth/realms/myapp/.well-known/openid-configuration
oidcConfig.clientId = myapp-frontend
oidcConfig.secret = XXXXXXXXXXXXXXX
oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
oidcConfig.useNonce = false
oidcConfig.scope = openid
oidcConfig.responseType = code
oidcConfig.withState = false
oidcConfig.disablePkce = true
keycloakOidClient = org.pac4j.oidc.client.KeycloakOidcClient
keycloakOidClient.name = KeycloakOidcClient
keycloakOidClient.configuration = $oidcConfig
roleAdminAuthGenerator = de.dpunkt.myaktion.util.shiropac4j.Pac4jRoleAdminAuthGenerator
keycloakOidClient.authorizationGenerator = $roleAdminAuthGenerator
clients = org.pac4j.core.client.Clients
clients.callbackUrl = http://localhost:8080/oauth/callback
clients.clients = $keycloakOidClient
pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jRealm.principalNameAttribute = preferred_username
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
securityManager.subjectFactory = $pac4jSubjectFactory
config = org.pac4j.core.config.Config
config.clients = $clients
oidcSecurityFilter = org.pac4j.jee.filter.SecurityFilter
oidcSecurityFilter.config = $config
oidcSecurityFilter.clients = KeycloakOidcClient
customAuthorizer = de.dpunkt.myaktion.util.shiropac4j.Pac4jCustomAuthorizer
config.authorizers = authorizerCustom:$customAuthorizer
oidcSecurityFilter.authorizers = authorizerCustom
### Callback Filters
callbackFilter = org.pac4j.jee.filter.CallbackFilter
callbackFilter.config = $config
customCallbackLogic = de.dpunkt.myaktion.util.shiropac4j.Pac4jForceDefaultURLCallbackLogic
callbackFilter.callbackLogic = $customCallbackLogic
ajaxRequestResolver = org.pac4j.core.http.ajax.DefaultAjaxRequestResolver
ajaxRequestResolver.addRedirectionUrlAsHeader = true
keycloakOidClient.ajaxRequestResolver = $ajaxRequestResolver
logoutFilter = org.pac4j.jee.filter.LogoutFilter
logoutFilter.config = $config
logoutFilter.localLogout = true
logoutFilter.centralLogout = true
logoutFilter.destroySession = true
# AuthStrategy
#authenticator = org.apache.shiro.authc.pam.ModularRealmAuthenticator
authcStrategy = org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy
authenticator = org.apache.shiro.authc.pam.ModularRealmAuthenticator
securityManager.authenticator = $authenticator
securityManager.authenticator.authenticationStrategy = $authcStrategy
securityManager.realms = $pac4jRealm
# Caching
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Using default form based security filter org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /common/login.jsf
anyofpermission = com.myapp.util.shiropac4j.CustomPermissionsAuthorizationFilter
# Protected URLs
[urls]
## PAC4J Filter
/oauth/callback = callbackFilter
/oauth/logout = logoutFilter
堆栈跟踪:
21:11:28,820 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /oauth/callback: jakarta.servlet.ServletException: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant, description=Code not valid
at deployment.myapp.war//org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196)
at deployment.myapp.war//org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:148)
at deployment.myapp.war//org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)
at deployment.myapp.war//org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at deployment.myapp.war//org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:458)
at deployment.myapp.war//org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:373)
at deployment.myapp.war//org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at deployment.myapp.war//org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at deployment.myapp.war//org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
at deployment.myapp.war//org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:370)
at deployment.myapp.war//org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)
at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
at [email protected]//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
at [email protected]//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at org.wildfly.security.elytron-web.undertow-server-servlet@4.0.0.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:51)
at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132)
at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101)
at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:393)
at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant, description=Code not valid
at deployment.myapp.war//org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.executeTokenRequest(OidcAuthenticator.java:206)
at deployment.myapp.war//org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:165)
at deployment.myapp.war//org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:75)
at java.base/java.util.Optional.ifPresent(Optional.java:183)
at deployment.myapp.war//org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:72)
at deployment.myapp.war//org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
at deployment.myapp.war//org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:75)
at deployment.myapp.war//org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:71)
at deployment.myapp.war//org.pac4j.jee.config.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:72)
at deployment.myapp.war//org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at deployment.myapp.war//org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at deployment.myapp.war//org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
... 54 more
有什么想法吗?
在客户端,您会收到以下错误:“令牌响应错误,错误=invalid_grant,描述=代码无效”。看起来这是 Keycloak 返回的错误:您在 Keycloak 日志中看到更多吗?该代码是否使用了两次或多次?代码验证是否需要太多时间?