Java 使用Azure AD、Spring网关和多个微服务进行身份验证

几个星期来我一直在想办法解决这个问题，但我被难住了

我们正在尝试迁移到SSO，当网关将令牌发送到下游服务时，我遇到了一些问题。身份验证在网关中运行良好，并且我能够在Spring上下文中正确查看经过身份验证的用户

我使用的是SpringBoot2.2.0

当请求到达下游时，我得到了错误

There was an unexpected error (type=Internal Server Error, status=500).
Signed JWT rejected: Invalid signature
com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:103)
    at com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.getAadJwtTokenValidator(UserPrincipalManager.java:94)
    at com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.buildUserPrincipal(UserPrincipalManager.java:85)
    at com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationFilter.doFilterInternal(AADAuthenticationFilter.java:78)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

SecurityConfig

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
        http
                .csrf()
                .disable()
                .authorizeExchange()
                .pathMatchers("/eureka/**").hasAnyAuthority("SUPER_ADMIN")
                .anyExchange().authenticated()
                .and()
                .oauth2Login();
        return http.build();

    @Autowired
    private AADAuthenticationFilter aadAuthFilter;

            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                        .csrf()
                        .disable()
                        .sessionManagement()
                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                        .and()
                        .authorizeRequests().anyRequest().permitAll()
                        .and()
                        .addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class)
                        .exceptionHandling()
                        .authenticationEntryPoint(globalAuthEntryPoint);
            }

依赖项：

dependencies {
    implementation "io.jsonwebtoken:jjwt:0.7.0"
    implementation "jakarta.xml.bind:jakarta.xml.bind-api:2.3.2"
    implementation "org.glassfish.jaxb:jaxb-runtime:2.3.2"
    compile "org.springframework.security:spring-security-oauth2-client"
    compile "com.microsoft.azure:azure-active-directory-spring-boot-starter:2.2.2"
    implementation "org.springframework.boot:spring-boot-starter-logging"
    compile "org.springframework.boot:spring-boot-starter-security"
    implementation "org.springframework.boot:spring-boot-starter-data-redis"
    implementation "org.springframework.cloud:spring-cloud-starter-gateway"
    implementation "org.springframework.cloud:spring-cloud-starter-security"
    implementation "org.springframework.cloud:spring-cloud-starter-consul-all"
    implementation "org.springframework.cloud:spring-cloud-starter-config"
    implementation "redis.clients:jedis:3.1.0"

通过此配置，在网关中设置Spring上下文，路径命中正确的API和端点，并向下游传递一个访问令牌到我的服务

现在，对于我的下游API：

Application.properties

spring.security.oauth2.client.registration.azure.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.azure.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.azure.scope=User.read
spring.security.oauth2.client.registration.azure.client-id=<<<My client ID>>>
spring.security.oauth2.client.registration.azure.client-secret=<<<My secret>>>
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/<<<Tenant id>>>/v2.0

azure.activedirectory.tenant-id=<<<Tenant id>>>
azure.activedirectory.active-directory-groups=Bench,Internal Projects

spring.cloud.gateway.routes[0].id=<<<App ID>>>
spring.cloud.gateway.routes[0].uri=<<<App URI>>>
spring.cloud.gateway.routes[0].predicates[0]=Path=<<<Path>>>
spring.cloud.gateway.routes[0].filters[0]=RewritePath=<<<Rewrit Path>>>
spring.cloud.gateway.default-filters[0]=TokenRelay

azure.activedirectory.client-id=<<<ID>>>
azure.activedirectory.client-secret=<<<Secret>>>

这是我的设置。我还尝试将其添加到我的应用程序中。属性：

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://login.microsoftonline.com/common/discovery/keys 

（我还尝试了v2.0端点）

当我这样做时，我会得到这个错误：

Thu Jan 23 15:40:36 EST 2020
There was an unexpected error (type=Internal Server Error, status=500).
Signed JWT rejected: Invalid signature
com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:103)
    at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:283)
    at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:298)
    at org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.jwtDecoderByJwkKeySetUri(OAuth2ResourceServerJwtConfiguration.java:68)

Thu Jan 23 15:40:36美国东部时间2020年
出现意外错误（类型=内部服务器错误，状态=500）。
签名JWT被拒绝：签名无效
com.nimbusds.jose.proc.BadJWSException:已签名JWT已拒绝：签名无效
在com.nimbusds.jwt.proc.DefaultJWTProcessor上。（DefaultJWTProcessor.java:103）
位于org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor（NimbusJwtDecoder.java:283）
位于org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build（NimbusJwtDecoder.java:298）
位于org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.jwtDecoderByJwkKeySetUri（OAuth2ResourceServerJwtConfiguration.java:68）

据我所知，下游服务应该调用MicrosoftGraph来获取用户信息/权限，并在Spring上下文中设置这些信息/权限。看起来它在过滤之前就失败了

---

有人能帮我解决这个Azure问题吗？

你能解决这个问题吗？我也有类似的问题。