英文:
Does Spring Security issuer url support service by name using a discovery-service?
问题
我有一个正在运行的授权服务器,已在我的Eureka发现服务上注册,名称为authorization-server。 对于我的一个微服务,我使用该授权服务器的名称配置Spring Security如下:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: http://authorization-server
当我调用具有上述配置的微服务时,如果我发送一个JWT声明,我会得到以下错误:
Caused by: java.net.UnknownHostException: Failed to resolve 'authorization-server' [A(1), AAAA(28)] after 12 queries
似乎我不能使用可发现的服务名称作为发行者URL。 是这样吗,还是我没有使用正确的约定?
英文:
I have a authorization server running and is registered on my eureka discovery service with name authorization-server. For one of my microservice I am using that authorization-server name for spring-security as follows:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: http://authorization-server
When I make a call to this microservice that has the above config I get this error when I send in a jwt claim:
Caused by: java.net.UnknownHostException: Failed to resolve 'authorization-server' [A(1), AAAA(28)] after 12 queries
It seems like I can't use a discoverable service name for the issuer url. Is that right or am I not using a correct convention?
答案1
得分: 1
关于“Spring Security的发行者URL是否支持通过发现服务按名称支持服务”的答案是“可能不支持”:如果存在issuer-uri,则它用于两个目的:
- 向JwtDecoder添加发行者验证器。此验证器将要求访问令牌的
iss声明与您在配置中定义的内容完全相符(即使是尾随斜杠,如果有的话,也很重要) - 如果
jwk-set-uri属性丢失,尝试获取OpenID配置(在类似{issuer-uri}/.well-known/openid-configuration的URI处)以及在此配置中找到的端点中的JWK集。
因此,除非授权服务器使用其名称在发现服务中设置访问令牌中的iss声明,否则您不能将此名称用作Spring Boot配置中的issuer-uri。
根据您当前的配置(没有jwk-set-uri),使用授权服务器的“public”名称应该解决您的问题。您可以在任何访问令牌中找到此URI(https://jwt.io可以帮助您读取访问令牌的有效负载)。
但实际上有三种选项:
- 您对发行者验证不感兴趣,然后省略
issuer-uri属性,只定义jwk-set-uri - 您希望进行发行者验证,并且资源服务器可以使用访问令牌的
iss声明中的URI访问授权服务器,然后在配置中使用该URI设置issuer-uri(如果您的授权服务器是OIDC,请在配置中省略jwk-set-uri,它将自动解析) - 您希望进行发行者验证,但资源服务器无法使用访问令牌的
iss声明中的URI访问授权服务器,然后仍然使用该URI在配置中设置issuer-uri并设置jwk-set-uri
在设置时(最后两种情况),jwk-set-uri中使用的主机名在资源服务器上解析,并且必须从那里可访问以获取令牌的公共签名密钥。
英文:
The answer to "Does Spring Security issuer url support service by name using a discovery-service?" is "probably not": if present, the issuer-uri is used for two things:
- add an issuer validator to the JwtDecoder. This validator Will require access tokens
issclaim to be exactly what you define in your conf (even trailing slash, if any, is important) - if
jwk-set-uriproperty is missing, try to fetch OpenID configuration (at URIs like{issuer-uri}/.well-known/openid-configuration) and then the JWK-set from the endpoint it finds in this conf.
So, unless the authorization server uses its name in the discovery service to set the iss claim in the access tokens it emits, you can't use this name as issuer-uri in Spring Boot configuration.
Given your current conf (no jwk-set-uri), using the "public" name for the authorization-server should solve your problem. You'll find this URI in any access token (https://jwt.io can help you read an access token payload).
But there are actually three options:
- you are not interested in the issuer validation, then omit the
issuer-uriproperty and define just thejwk-set-uri - you want the issuer validation and the resource server can reach the Authorization server using the URI in
issclaim of access-tokens, then use that URI for settingissuer-uriin your conf (and, if your authorisation server is OIDC, omitjwk-set-uriin your conf, it will be automatically resolved) - you want the issuer validation but the resource server can not reach the Authorization server using the URI in
issclaim of access-tokens, then use that URI anyway for settingissuer-uriin your conf and set thejwk-set-uri
When set (the last two cases) the hostname used in jwk-set-uri is resolved on the resource server and must be accessible from there to fetch the tokens public signing key.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论