个人中心
gpt4 book ai didi

Why is Spring Security not properly reading my Auth0 OAuth permissions using hasAuthority?(为什么Spring Security不能使用hasAuthority正确读取我的Auth0 OAuth权限?)

转载 作者:bug小助手 更新时间:2023-10-24 20:54:51 25 4
gpt4 key购买 nike



I have the following…

我有以下…


    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.oauth2Login(AbstractHttpConfigurer::disable)
                .oauth2ResourceServer(AbstractHttpConfigurer::disable)
                .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests((authz) -> authz
                        .requestMatchers(
                                new AntPathRequestMatcher("/actuator/**")
                        ).hasAuthority("SCOPE_read:actuators")
                        .anyRequest().authenticated()
                );
        return http.build();
    }
    @Bean
    JwtDecoder jwtDecoder(OAuth2ResourceServerProperties properties, @Value("${auth0.audience}") String audience) {
        /*
         * By default, Spring Security does not validate the "aud" claim of the token,
         * to ensure that this token is
         * indeed intended for our app. Adding our own validator is easy to do:
         */

        String issuerUri = properties.getJwt().getIssuerUri();
        NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuerUri);

        OAuth2TokenValidator<Jwt> audienceValidator = AudienceValidator.of(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuerUri);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

        jwtDecoder.setJwtValidator(withAudience);

        return jwtDecoder;
    }


And the following config…

和以下配置…


auth0:
  audience: ...
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ...

I am trying to call the endpoint with curl http://localhost:8080/actuator -v -H "Authorization: Bearer ..." and curl http://localhost:8080/actuator -v -H "Authorization: OAuth ..."

我正在尝试使用CURL http://localhost:8080/actuator-v-H呼叫终结点“授权:承载...”和CURL http://localhost:8080/actuator-v-H“授权:OAUTH...”


I have confirmed the access token has

我已确认访问令牌已


{
  "iss": "...",
  "sub": "...",
  "aud": [
    "...",
    "..."
  ],
  "iat": ...,
  "exp": ...,
  "azp": "...",
  "scope": "openid profile email",
  "permissions": [
    "read:actuators"
  ]
}

The aud and iss match but when I go to the site I get a 403. If I make it permit-all then it works fine.

澳元和国际空间站是匹配的,但当我去现场时,我得到了403分。如果我允许这样做,那么它就能正常工作。


What am I missing here?

我错过了什么吗?


I also tried to add this but the same issue...

我也想加上这一点,但同样的问题...


.oauth2ResourceServer((oauth2) -> oauth2
                        .jwt((jwt) ->jwt.decoder(jwtDecoder()))
                )

更多回答
优秀答案推荐

The bean it was missing (Just for Auth0) is this

它缺少的Bean(仅用于Auth0)如下所示


    @Bean
    public JwtAuthenticationConverter jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        grantedAuthoritiesConverter.setAuthoritiesClaimName("permissions");

        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
        return jwtAuthenticationConverter;
    }

The permission can be extracted to a application property if your provider uses something else but for auth0 it will always be permissions.

如果您的提供程序使用其他内容,则可以将权限提取到应用程序属性,但对于auth0,它将始终是权限。


More information can be found in the official Spring Security site here

有关更多信息,请访问官方的Spring Security站点



You have to enable resource server configuration for access token to be used when building the security context.

您必须启用资源服务器配置,以便在构建安全上下文时使用访问令牌。


You also need a Converter<Jwt, ? extends AbstractAuthenticationToken> to convert the content of a private claim into Spring authorities. JwtAuthenticationConverter is the default implementation for this interface and configurable to some extent (will work if you want to use only one claim directly under root node, which seems to be your case for now). Just expose a bean of that type with overriden configuration to read the permissions claim.

您还需要转换器 以将私有声明的内容转换为Spring授权。JwtAuthenticationConverter是该接口的默认实现,并且在某种程度上是可配置的(如果您只想在根节点下直接使用一个声明,那么就可以使用,这似乎是您目前的情况)。只需使用覆盖配置公开该类型的Bean即可读取权限声明。


You can find samples in my tutorials, all work with Auth0 (as well as Keycloak, and Amazon Cognito).

您可以在我的教程中找到样例,它们都使用Auth0(以及Keyloak和Amazon Cognito)。


更多回答

Congratulations, you applied exactly what I answered: look at the interface implemented by the JwtAuthenticationConverter you expose as a bean and compare it to the interface in my answer.

祝贺您,您完全应用了我回答的内容:查看您作为Bean公开的JwtAuthenticationConverter实现的接口,并将其与我的回答中的接口进行比较。

Yup I see that so maybe they just introduced something similar to your thing. Anyway thanks again for the direction.

是的,我看到了,所以也许他们只是引入了一些和你的东西类似的东西。无论如何,再次感谢您的指点。

Actually, JwtAuthenticationConverter is the default Converter<Jwt, ? extends AbstractAuthenticationToken> implementation by Spring Security. It is configurable to some extent, but not as much as what I provide (and not from just properties): for instance it won't work if you need to use more than one claim as source for authorities or if the claim is nested (like you could need some day as Auth0 custom claims are nested in a domain you define like {"c4-soft.com": {"roles": [] }}).

实际上,JwtAuthenticationConverter是默认的Converter implementation by Spring Security.它在某种程度上是可配置的,但不像我提供的那样多(不仅仅是属性):例如,如果你需要使用多个声明作为权威机构的来源,或者如果声明是嵌套的(比如你可能需要一天,因为Auth 0自定义声明嵌套在你定义的域中,比如{”c4-soft.com“:{“roles”:[] }}),它就不起作用了。

Updated the answer to be a little clearer and upvoted your answer which complements it.

更新了答案,使其更清晰,并提升了您的答案,补充了您的答案。

I will take a look at your examples thank you but I am seeing the authorities seem to be getting mapped incorrectly given their example and are instead the scopes... ["SCOPE_openid","SCOPE_profile","SCOPE_email"]* Connection #0 to host localhost left intact. Instead of the permissions suggested here auth0.com/docs/quickstart/backend/java-spring-security5/… so my guess is that converter will map the permissions properly?

我会看看你的例子,谢谢你,但我看到当局似乎被错误地映射给他们的例子,而不是范围…[“SCOPE_OPENID”,“SCOPE_PROFILE”,“SCOPE_EMAIL”]*到主机本地主机的连接#0完好无损。而不是此处建议的权限auth0.com/docs/quickstart/backend/java-spring-security5/…所以我猜转换器会正确地映射权限吗?

Also why is that class also not in the above linked example

另外,为什么该类也不在上面的链接示例中

The default converter uses scope claim as source for authorities and adds SCOPE_ prefix, reason for me writing in my answer that you have to provide your own (which is not done in your question and explains why you get scopes as authorities ...).

默认转换器使用Scope Claime作为权限的来源,并添加SCOPE_PREFIX,这是我在回答中写道您必须提供自己的原因(这在您的问题中没有完成,并解释了为什么您将作用域作为权限...)。

Any idea why they don't mention that in the link

你知道他们为什么不在链接中提到这一点吗

Also do you happen to have a simpler example that doesn't have a lot of abstraction? I am trying to copy the code like what I see here github.com/ch4mpy/spring-addons/blob/… but I am going down a rabbit hole of the custom classes used

另外,您是否碰巧有一个没有太多抽象的更简单的示例?我正在尝试复制代码,就像我在这里看到的那样:githeb.com/ch4mpy/Spring-addons/BLOB/…但我要去的是过去使用的定制类的兔子洞

25 4 0
文章推荐: Can't set focus to ScrollView using Qt.ClickFocus(无法使用Qt.ClickFocus将焦点设置为ScrollView)
文章推荐: MatplotLib line behind bar plot(条形图后面的MatplotLib线)
文章推荐: Average hours getting truncated despite using float in cs50 hours practice problem(在CS50学时练习题中使用浮点时平均学时被截断)
文章推荐: React Firestore Useeffect error type error "undefined indexOf" when accessing user collection(访问用户集合时,Reaction FiRestore UseEffect错误类型错误“unfined indexOf”)
bug小助手
个人简介

我是一名优秀的程序员,十分优秀!

作者热门文章
滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com