我正在使用Spring Security OAuth2和OAuth2RestTemplate實現OAuth 2.0安全REST API的客戶端。流動經歷的步驟,以獲得成功的訪問令牌:OAuth2RestTemplate不記名令牌類型
response.statusCode = 200
response.body = {"access_token":"9b90f8a84b939b8437a4fbaa8fff0052839cf6f5","expires_in":3600,"token_type":"bearer","scope":" read write","refresh_token":"e164f317a1708c3664025e9e56ce605cfe710474」}
然而,當代碼嘗試使用OAuth2RestTemplate訪問受保護的資源,響應不成功:
GET request for "https://redacted.com/api/v1/clients" resulted in 400 (Bad Request)
這是因爲DefaultOAuth2RequestAuthenticator使用與access_token一起返回的token_type值(「承載」)形成對受保護資源的請求的認證報頭:
request.getHeaders().set("Authorization", String.format("%s %s", tokenType, accessToken.getValue()));
這導致在請求授權報頭的憑證字段被前綴字符串「承載」:
Request Header: "Authorization" "bearer a8f18cb3173c4cbbea44f4495dd5e5662156c391"
然而,根據的OAuth 2.0承載令牌使用規範第2.1節授權請求報頭字段,格式憑證字段是:
憑證= 「承載」 1 * SP b64token
。注意,在該規範, 「承載」 是大寫。這意味着,請求頭應該是:
Request Header: "Authorization" "Bearer a8f18cb3173c4cbbea44f4495dd5e5662156c391"
顯然,供應商我們將請求發送到實現規範狹隘,因爲資本化發行(「承載」與「載體」)是什麼導致請求到受保護資源失敗。當我改變DefaultOAuth2RequestAuthenticator的前綴強制所有權的情況下,請求成功:
if ("bearer".equals(tokenType)) {
tokenType = "Bearer";
}
Header key = Authorization values = Bearer 8efd4381f3470660291e700e4927012f288ad66c,
Sending GET request to https://redacted.com/api/v1/clients
Received "200 OK" response for GET request to https://redacted.com/api/v1/clients: [[{"id":"999999999","client_user_id":"a1b2c3d4e5f6"...
我真的不希望有我自己的叉子春季安全的OAuth2來解決這個問題。這對任何人都有效?我錯過了什麼嗎?