Java 使用Azure AD、Spring网关和多个微服务进行身份验证
几个星期来我一直在想办法解决这个问题,但我被难住了 我们正在尝试迁移到SSO,当网关将令牌发送到下游服务时,我遇到了一些问题。身份验证在网关中运行良好,并且我能够在Spring上下文中正确查看经过身份验证的用户 我使用的是SpringBoot2.2.0 当请求到达下游时,我得到了错误Java 使用Azure AD、Spring网关和多个微服务进行身份验证,java,azure,spring-boot,oauth-2.0,azure-active-directory,Java,Azure,Spring Boot,Oauth 2.0,Azure Active Directory,几个星期来我一直在想办法解决这个问题,但我被难住了 我们正在尝试迁移到SSO,当网关将令牌发送到下游服务时,我遇到了一些问题。身份验证在网关中运行良好,并且我能够在Spring上下文中正确查看经过身份验证的用户 我使用的是SpringBoot2.2.0 当请求到达下游时,我得到了错误 There was an unexpected error (type=Internal Server Error, status=500). Signed JWT rejected: Invalid signat
There was an unexpected error (type=Internal Server Error, status=500).
Signed JWT rejected: Invalid signature
com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:103)
at com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.getAadJwtTokenValidator(UserPrincipalManager.java:94)
at com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.buildUserPrincipal(UserPrincipalManager.java:85)
at com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationFilter.doFilterInternal(AADAuthenticationFilter.java:78)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
SecurityConfig
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeExchange()
.pathMatchers("/eureka/**").hasAnyAuthority("SUPER_ADMIN")
.anyExchange().authenticated()
.and()
.oauth2Login();
return http.build();
@Autowired
private AADAuthenticationFilter aadAuthFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().permitAll()
.and()
.addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling()
.authenticationEntryPoint(globalAuthEntryPoint);
}
依赖项:
dependencies {
implementation "io.jsonwebtoken:jjwt:0.7.0"
implementation "jakarta.xml.bind:jakarta.xml.bind-api:2.3.2"
implementation "org.glassfish.jaxb:jaxb-runtime:2.3.2"
compile "org.springframework.security:spring-security-oauth2-client"
compile "com.microsoft.azure:azure-active-directory-spring-boot-starter:2.2.2"
implementation "org.springframework.boot:spring-boot-starter-logging"
compile "org.springframework.boot:spring-boot-starter-security"
implementation "org.springframework.boot:spring-boot-starter-data-redis"
implementation "org.springframework.cloud:spring-cloud-starter-gateway"
implementation "org.springframework.cloud:spring-cloud-starter-security"
implementation "org.springframework.cloud:spring-cloud-starter-consul-all"
implementation "org.springframework.cloud:spring-cloud-starter-config"
implementation "redis.clients:jedis:3.1.0"
通过此配置,在网关中设置Spring上下文,路径命中正确的API和端点,并向下游传递一个访问令牌到我的服务
现在,对于我的下游API:
Application.properties
spring.security.oauth2.client.registration.azure.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.azure.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.azure.scope=User.read
spring.security.oauth2.client.registration.azure.client-id=<<<My client ID>>>
spring.security.oauth2.client.registration.azure.client-secret=<<<My secret>>>
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/<<<Tenant id>>>/v2.0
azure.activedirectory.tenant-id=<<<Tenant id>>>
azure.activedirectory.active-directory-groups=Bench,Internal Projects
spring.cloud.gateway.routes[0].id=<<<App ID>>>
spring.cloud.gateway.routes[0].uri=<<<App URI>>>
spring.cloud.gateway.routes[0].predicates[0]=Path=<<<Path>>>
spring.cloud.gateway.routes[0].filters[0]=RewritePath=<<<Rewrit Path>>>
spring.cloud.gateway.default-filters[0]=TokenRelay
azure.activedirectory.client-id=<<<ID>>>
azure.activedirectory.client-secret=<<<Secret>>>
这是我的设置。我还尝试将其添加到我的应用程序中。属性:
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://login.microsoftonline.com/common/discovery/keys
(我还尝试了v2.0端点)
当我这样做时,我会得到这个错误:
Thu Jan 23 15:40:36 EST 2020
There was an unexpected error (type=Internal Server Error, status=500).
Signed JWT rejected: Invalid signature
com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:103)
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:283)
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:298)
at org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.jwtDecoderByJwkKeySetUri(OAuth2ResourceServerJwtConfiguration.java:68)
Thu Jan 23 15:40:36美国东部时间2020年
出现意外错误(类型=内部服务器错误,状态=500)。
签名JWT被拒绝:签名无效
com.nimbusds.jose.proc.BadJWSException:已签名JWT已拒绝:签名无效
在com.nimbusds.jwt.proc.DefaultJWTProcessor上。(DefaultJWTProcessor.java:103)
位于org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:283)
位于org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:298)
位于org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.jwtDecoderByJwkKeySetUri(OAuth2ResourceServerJwtConfiguration.java:68)
据我所知,下游服务应该调用MicrosoftGraph来获取用户信息/权限,并在Spring上下文中设置这些信息/权限。看起来它在过滤之前就失败了
有人能帮我解决这个Azure问题吗?你能解决这个问题吗?我也有类似的问题。