spring security 5 oauth2 资源服务器无法正确处理用户授权 报错insufficient_scope
现象
客户端通过授权码模式获取不透明令牌(opaque token),使用令牌访问资源服务器
资源服务器安全配置只能处理客户端scope授权,如果添加用户授权的判定规则,则报错
www-authenticate: Bearer error=“insufficient_scope”,error_description=“The request requires higher privileges than provided by the access token.”,error_uri=“https://tools.ietf.org/html/rfc6750#section-3.1”
原因
spring security 5 默认的令牌校验逻辑只处理scope,没有处理用户授权
源码
- 资源服务器不透明令牌默认配置
org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerOpaqueTokenConfiguration
@Configuration(proxyBeanMethods = false)
@ConditionalOnMissingBean(OpaqueTokenIntrospector.class)
static class OpaqueTokenIntrospectionClientConfiguration {
@Bean
@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.opaquetoken.introspection-uri")
NimbusOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProperties properties) {
OAuth2ResourceServerProperties.Opaquetoken opaqueToken = properties.getOpaquetoken();
return new NimbusOpaqueTokenIntrospector(opaqueToken.getIntrospectionUri(), opaqueToken.getClientId(),
opaqueToken.getClientSecret());
}
}
- 内省和验证不透明令牌
org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector
private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) {
Collection<GrantedAuthority> authorities = new ArrayList<>();
Map<String, Object> claims = response.toJSONObject();
...
// 处理scope授权,加上前缀"SCOPE_"
if (response.getScope() != null) {
List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList());
claims.put(OAuth2IntrospectionClaimNames.SCOPE, scopes);
for (String scope : scopes) {
authorities.add(new SimpleGrantedAuthority(this.authorityPrefix + scope));
}
}
// 授权中只包含scope,用户授权直接作为一般属性传递了
return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities);
}
解决
- 自定义内省器
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.util.JSONUtils;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
import org.springframework.web.client.RestOperations;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
@Slf4j
public class DefaultOpaqueTokenIntrospector extends NimbusOpaqueTokenIntrospector {
public DefaultOpaqueTokenIntrospector(String introspectionUri, String clientId, String clientSecret) {
super(introspectionUri, clientId, clientSecret);
}
public DefaultOpaqueTokenIntrospector(String introspectionUri, RestOperations restOperations) {
super(introspectionUri, restOperations);
}
@Override
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal principal = super.introspect(token);
try {
List<String> userAuthorities = JSONUtils.to(principal.getAttribute("authorities"), List.class);
Collection<GrantedAuthority> authorities = new ArrayList<>();
authorities.addAll(principal.getAuthorities());
for (String userAuthority : userAuthorities) {
authorities.add(new SimpleGrantedAuthority(userAuthority));
}
return new OAuth2IntrospectionAuthenticatedPrincipal(principal.getAttributes(), authorities);
} catch (ParseException e) {
log.warn("令牌用户授权信息解析失败", e);
}
return principal;
}
}
- 配置
@Bean
@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.opaquetoken.introspection-uri")
NimbusOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProperties properties) {
OAuth2ResourceServerProperties.Opaquetoken opaqueToken = properties.getOpaquetoken();
return new DefaultOpaqueTokenIntrospector(opaqueToken.getIntrospectionUri(), opaqueToken.getClientId(),
opaqueToken.getClientSecret());
}
```
