【发布时间】:2020-07-29 04:44:54
【问题描述】:
我正在为 Oracle IDCS 创建一个 OpenID/OAuth2 客户端。起初,我使用 Google 和 GitHub 测试了我的 Spring-Boot 配置,它运行良好。但是,当我尝试与 Oracle IDCS 集成时,当应用程序尝试从 JWK Set URI (https://idcs-XXXXXXXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk) 获取签名密钥时,我收到了 401 Unauthorized。我了解到 Oracle IDCS JWK Set URI 需要标头中的令牌 (Authorization: Bearer <Access Token Value>)。 Google 和 GitHub 并非如此。
application.yml
spring:
main:
banner-mode: "console"
jpa:
hibernate:
ddl-auto: "create-drop"
security:
oauth2:
client:
registration:
oracle:
client-id: XXXXXX
client-secret: XXXXXX
authorization-grant-type: authorization_code
redirect-uri: "http://localhost:8080/login/oauth2/code/oracle"
scope: openid
client-name: Oracle
provider: oracle
provider:
oracle:
authorization-uri: "https://idcs-XXXXXXXXX.identity.oraclecloud.com/oauth2/v1/authorize"
token-uri: "https://idcs-XXXXXXXXX.identity.oraclecloud.com/oauth2/v1/token"
user-info-uri: "https://idcs-XXXXXXXXX.identity.oraclecloud.com/oauth2/v1/userinfo"
jwk-set-uri: "https://idcs-XXXXXXXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk"
token-info-uri: "https://idcs-XXXXXXXXX.identity.oraclecloud.com/oauth2/v1/introspect"
user-name-attribute: name
profiles:
active: "@spring.profiles.active@"
来自org.springframework.security.oauth2.jwt.NimbusJwtDecoder的sn-p
private static class RestOperationsResourceRetriever implements ResourceRetriever {
private static final MediaType APPLICATION_JWK_SET_JSON = new MediaType("application", "jwk-set+json");
private final RestOperations restOperations;
RestOperationsResourceRetriever(RestOperations restOperations) {
Assert.notNull(restOperations, "restOperations cannot be null");
this.restOperations = restOperations;
}
@Override
public Resource retrieveResource(URL url) throws IOException {
HttpHeaders headers = new HttpHeaders();
headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON, APPLICATION_JWK_SET_JSON));
ResponseEntity<String> response;
try {
RequestEntity<Void> request = new RequestEntity<>(headers, HttpMethod.GET, url.toURI());
response = this.restOperations.exchange(request, String.class);
} catch (Exception ex) {
throw new IOException(ex);
}
if (response.getStatusCodeValue() != 200) {
throw new IOException(response.toString());
}
return new Resource(response.getBody(), "UTF-8");
}
}
}
更新: 手动向 JWK Set URI 发送带有令牌的 HTTP GET 请求会给我密钥。
curl -v -k -X GET -H "Content-Type:application/json" -H "Authorization: Bearer XXXXXXXXX" https://idcs-XXXXXXXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk
{
"keys":[
{
"kty":"RSA",
"x5t#S256":"XXXX",
"e":"XXXX",
"x5t":"XXXX",
"kid":"SIGNING_KEY",
"x5c":[
"XXXX",
"XXXX"
],
"key_ops":[
"encrypt",
"verify"
],
"alg":"RS256",
"n":"XXXX"
}
]
}
如何将 HTTP GET 请求标头中的令牌包含到 JWK 设置 URI?
Spring Boot OAuth2 客户端有没有办法手动设置签名密钥?详细配置here不起作用。
【问题讨论】:
-
您好,您解决了吗,我也面临类似的问题,其中 jwks uri 受到保护。介于两者之间,您是如何将 Google 作为 OP 公网或 VPN 进行尝试的?
-
我还没有解决这个问题。我正在处理这个问题,当我解决它时,我会确保回复。
-
是否有任何文档可以将 Spring Security 与 IDCS 结合使用?
标签: spring spring-boot spring-security oracle-cloud-infrastructure