我正在使用Spring Security OAuth2和OAuth2RestTemplate实现OAuth 2.0安全REST API的客户端。流动经历的步骤,以获得成功的访问令牌:OAuth2RestTemplate不记名令牌类型
response.statusCode = 200
response.body = {"access_token":"9b90f8a84b939b8437a4fbaa8fff0052839cf6f5","expires_in":3600,"token_type":"bearer","scope":" read write","refresh_token":"e164f317a1708c3664025e9e56ce605cfe710474”}
然而,当代码尝试使用OAuth2RestTemplate访问受保护的资源,响应不成功:
GET request for "https://redacted.com/api/v1/clients" resulted in 400 (Bad Request)
这是因为DefaultOAuth2RequestAuthenticator使用与access_token一起返回的token_type值(“承载”)形成对受保护资源的请求的认证报头:
request.getHeaders().set("Authorization", String.format("%s %s", tokenType, accessToken.getValue()));
这导致在请求授权报头的凭证字段被前缀字符串“承载”:
Request Header: "Authorization" "bearer a8f18cb3173c4cbbea44f4495dd5e5662156c391"
然而,根据的OAuth 2.0承载令牌使用规范第2.1节授权请求报头字段,格式凭证字段是:
凭证= “承载” 1 * SP b64token
。注意,在该规范, “承载” 是大写。这意味着,请求头应该是:
Request Header: "Authorization" "Bearer a8f18cb3173c4cbbea44f4495dd5e5662156c391"
显然,供应商我们将请求发送到实现规范狭隘,因为资本化发行(“承载”与“载体”)是什么导致请求到受保护资源失败。当我改变DefaultOAuth2RequestAuthenticator的前缀强制所有权的情况下,请求成功:
if ("bearer".equals(tokenType)) {
tokenType = "Bearer";
}
Header key = Authorization values = Bearer 8efd4381f3470660291e700e4927012f288ad66c,
Sending GET request to https://redacted.com/api/v1/clients
Received "200 OK" response for GET request to https://redacted.com/api/v1/clients: [[{"id":"999999999","client_user_id":"a1b2c3d4e5f6"...
我真的不希望有我自己的叉子春季安全的OAuth2来解决这个问题。这对任何人都有效?我错过了什么吗?