为什么我的令牌被拒绝？什么是资源 ID？ “无效令牌不包含资源 ID (oauth2-resource)”

我补充一个类似的问题。就我而言，我使用了 jdbc 身份验证，我的授权服务器和资源服务器是两个独立的 API。

• 授权服务器

     @Override
  public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
  oauthServer.tokenKeyAccess("permitAll()")
              .checkTokenAccess("isAuthenticated()")
              .passwordEncoder(oauthClientPasswordEncoder);

}

   /**
  * Define the client details service. The client may be define either as in memory or in database.
   * Here client with be fetch from the specify database
    */
  @Override
  public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
     clients.jdbc(dataSource);
  }

  /**
  * Define the authorization by providing authentificationManager
  * And the token enhancement
   */
   @Override
  public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
  endpoints.tokenStore(tokenStore())
              .tokenEnhancer(getTokenEnhancer())
              .authenticationManager(authenticationManager).userDetailsService(userDetailsService);
   }

• 资源服务器

  public class OAuth2ResourceServerConfig extends
      ResourceServerConfigurerAdapter {

      private TokenExtractor tokenExtractor = new BearerTokenExtractor();

      @Autowired
      private DataSource dataSource;

      @Bean
      public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
      }

       @Override
       public void configure(HttpSecurity http) throws Exception {
             http.addFilterAfter(new OncePerRequestFilter() {
             @Override
             protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
              FilterChain filterChain) throws ServletException, IOException {
          // We don't want to allow access to a resource with no token so clear
          // the security context in case it is actually an OAuth2Authentication
          if (tokenExtractor.extract(request) == null) {
              SecurityContextHolder.clearContext();
          }
          filterChain.doFilter(request, response);
      }
  }, AbstractPreAuthenticatedProcessingFilter.class);
  http.csrf().disable();
  http.authorizeRequests().anyRequest().authenticated();
   }

    @Bean
    public AccessTokenConverter accessTokenConverter() {
       return new DefaultAccessTokenConverter();
    }

    @Bean
    public RemoteTokenServices remoteTokenServices(final @Value("${auth.server.url}") String checkTokenUrl,
      final @Value("${auth.resource.server.clientId}") String clientId,
      final @Value("${auth.resource.server.clientsecret}") String clientSecret) {

         final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
         remoteTokenServices.setCheckTokenEndpointUrl(checkTokenUrl);
         remoteTokenServices.setClientId(clientId);
         remoteTokenServices.setClientSecret(clientSecret);
        remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
  return remoteTokenServices;
     }

通过这种配置，我得到了

    {
       "error": "access_denied",
       "error_description": "Invalid token does not contain resource id
       (xxxxx)"
     }

为了解决这个问题，我不得不添加

    private String resourceIds= "xxxxx". !! maked sure that this resourceids is store in oauth_client_details for the clientid I used to get the token
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
          resources.resourceId(resourceIds).tokenStore(tokenStore());
      }

原文由 onlyme 发布，翻译遵循 CC BY-SA 4.0 许可协议