我使用auth0-angular获取getaccesstokensilent()并使用authorization: Bearer blablabla将access_token发送到我的后端服务器
当我尝试用这个头请求时,我的Spring安全配置开始抛出错误。
错误提示:
Caused by: org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: class com.nimbusds.jose.JWEHeader cannot be cast to class com.nimbusds.jose.JWSHeader (com.nimbusds.jose.JWEHeader and com.nimbusds.jose.JWSHeader are in unnamed module of loader 'app')
安全配置:
@EnableWebFluxSecurity
@Configuration
public class SecurityConfig {
@Value("${spring.security.oauth2.resourceserver.jwk.issuer-uri}")
private String issuerUri;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http){
http.authorizeExchange()
.pathMatchers(HttpMethod.GET,"/inventory/**").authenticated()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
@Bean
public ReactiveJwtDecoder jwtDecoder() {
return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
}
}
我的设置有问题吗?我从https://auth0.com/blog/introduction-getting-started-with-spring-webflux-api/
进行了spring设置另外,这就是我如何从auth0 sdk获得无效的访问令牌
test(){
this.auth.getAccessTokenSilently({"authorizationParams": {"redirectUri": "http://localhost:4200","audience": "https://dev-wwoccmoasz15dfgd.us.auth0.com/userinfo", "scope": "openid profile"}})
.subscribe(a => {
console.log(a);
})
}
你配置Angular发送受众参数了吗?如果不这样做,则返回的访问令牌不是JWT。您可以将访问令牌复制/粘贴到jwt中。看看它是否有效。下面是有观众的配置。
const config = {
domain: 'dev-06bzs1cu.us.auth0.com',
clientId: 'y3RlJzTl68eZOQyGqA0yGiJla7fyaZ88',
authorizationParams: {
audience: 'https://dev-06bzs1cu.us.auth0.com/api/v2/',
redirect_uri: window.location.origin + '/home'
},
httpInterceptor: {
allowedList: ['http://localhost:8080/*']
},
};