部署的应用无法交换OAuth2代码以获取令牌。

huangapple go评论109阅读模式
英文:

Deployed app cannot exchange oauth2 code for token

问题

以下是您要翻译的内容:

本地环境下一切正常!

然而,在将应用部署到可通过 https 访问的树莓派上的 Kubernetes k3s 集群后,用于进行 OAuth2 代码交换以获取令牌的功能无法正常工作。我目前支持通过 Google 和 GitHub 进行身份验证,但它们都存在此问题。以下是日志:

GitHub 登录失败:

org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
[invalid_token_response] 在尝试检索 OAuth 2.0 访问令牌响应时出错:尝试为类型 [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] 和内容类型 [application/json;charset=utf-8] 提取响应时出错;嵌套异常为 org.springframework.http.converter.HttpMessageNotReadableException: 读取 OAuth 2.0 访问令牌响应时出错:tokenValue 不能为空;嵌套异常为 java.lang.IllegalArgumentException: tokenValue 不能为空

Google 登录失败:

org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
[invalid_token_response] 在尝试检索 OAuth 2.0 访问令牌响应时出错:POST 请求“https://www.googleapis.com/oauth2/v4/token”时发生 I/O 错误:无效的 ECDH ServerKeyExchange 签名;嵌套异常为 javax.net.ssl.SSLHandshakeException: 无效的 ECDH ServerKeyExchange 签名

我已尝试过:

我认为可能是从 Kubernetes 集群内部发送 https 请求的问题,但我连接到运行中的 pod 并使用 curl 命令访问 https://google.com,结果工作正常。

你们有没有遇到过这样的问题?

@edit
我正在使用 Java 11

@edit2
在我的树莓派上似乎存在 Docker 问题。使用 curl 命令进行 https 请求工作正常,但在 Java 中使用 RestTemplate 不起作用。

@edit3
找到了一个相关问题:https://github.com/docker-library/tomcat/issues/182

英文:

Locally everything works!

However, after a deployment to my Kubernetes k3s cluster on raspberrypi, which is accessible via https domain the oauth2 code exchange for token feature doesn't work. I currently support authentication via Google and GitHub and both of them have this problem. Below are the logs:

GitHub login failure:

org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Error while extracting response for type [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [application/json;charset=utf-8]; 
nested exception is org.springframework.http.converter.HttpMessageNotReadableException: An error occurred reading the OAuth 2.0 Access Token Response: tokenValue cannot be empty; 
nested exception is java.lang.IllegalArgumentException: tokenValue cannot be empty

Google login failure:

org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://www.googleapis.com/oauth2/v4/token": Invalid ECDH ServerKeyExchange signature; 
nested exception is javax.net.ssl.SSLHandshakeException: Invalid ECDH ServerKeyExchange signature

What I've already tried:

I thought it might be a problem with sending https requests from within my Kubernetes cluster, but I connected to the running pod and curled https://google.com and it worked just fine.

Have any of you guys encountered such a problem?

@edit
I'm using Java 11

@edit2
There seems to be a problem with docker on my raaspberrypi. Curling https requests work fine, but using RestTemplate in Java doesn't work

@edit3
Found a related issue https://github.com/docker-library/tomcat/issues/182

答案1

得分: 1

假设您在本地和 Kubernetes 中使用完全相同的容器/可执行文件/库,并根据您分享的错误消息,最有可能的原因是本地环境和 Kubernetes 环境之间的凭据和/或私钥不同。

尽管针对 GitHub 和 Google 的错误看起来不同。第一个错误(GitHub)似乎是您发送了一个空令牌。

第二个错误(Google)似乎是您发送了一个与证书不匹配的私钥。根据类似的 Java 错误

> "Invalid ECDH ServerKeyExchange signature" 可能表示一个密钥和相应的证书不匹配,导致握手失败。验证您为配置的证书颁发机构、证书和密钥使用的每个文件的内容。特别是,请检查密钥和证书是否属于同一密钥对。

英文:

Assuming you are using the exact same container/executable/libraries both locally and Kubernetes and based on the error messages that you shared, the most likely reason is different credentials and/or private keys between your local environment and your Kubernetes environment.

The errors look different for Github and Google though. The first error (GitHub) seems like you are sending an empty token.

The second error (Google) seems like you are sending an private key that doesn't match a certificate. Based on similar Java errors:

> The Invalid ECDH ServerKeyExchange signature can indicate that a key
> and a corresponding certificate don’t match and are causing the
> handshake to fail. Verify the contents of each of the files you are
> using for your configured certificate authorities, certificates and
> keys. In particular, check that the key and certificate belong to the
> same key pair.

答案2

得分: 1

问题已解决,与Spring或OAuth配置无关。

Adoptopenjdk针对ARM的Docker镜像存在问题。这会导致无法进行HTTPS请求,即使使用以下示例也会失败:

RestTemplate().getForEntity("https://google.com", String::class.java)

因此,解决方法是在我的Dockerfile中将破损的基础镜像替换为以下内容:

之前:

FROM adoptopenjdk/openjdk11:armv7l-ubuntu-jdk-11.0.6_10-slim

现在:

FROM arm32v7/openjdk:11.0.3-slim
英文:

Problem Solved and is not connected with spring or oauth configuration at all.

Adoptopenjdk Docker image for arm is broken. It prevents making https requests. Even the following example failed:

RestTemplate().getForEntity("https://google.com", String::class.java)

So the solution is to swap broken base image in my Dockerfile like this:

Previous:

FROM adoptopenjdk/openjdk11:armv7l-ubuntu-jdk-11.0.6_10-slim

Current:

FROM arm32v7/openjdk:11.0.3-slim

huangapple
  • 本文由 发表于 2020年5月4日 04:01:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/61580867.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定