尝试在SpringBoot中使用OneLogin OIDC时出错（错误：redirect_uri_mismatch）

2024-05-06 • 问答

几天以来，我一直在尝试将OneLogin OIDC与SpringBoot连接起来，但现在还不能。

我是OIDC的新手，所以，也许我缺少一些基本知识。

我已按照“ OpenLogin管理”面板中的以下说明进行操作： https://developers.onelogin.com/openid-connect/connect-to-onelogin

尝试了（主分支）中的代码： https://github.com/onelogin/onelogin-oidc-java/tree/master/spring-boot-app

发现几天前在同一存储库中有一个拉取请求，其解决方案非常不同（karson-demo-2019-oct分支）： https://github.com/onelogin/onelogin-oidc-java/tree/karson-demo-2019-oct/spring-boot-app

但不幸的是，该解决方案无法正常工作。

我使用的是karson-demo-2019-oct分支的相同代码，仅向YAML文件添加了一些属性（请参见下文）

我在OneLogin管理面板中将重定向URI配置为https://localhost:8081/。我转到https://localhost:8081/后，单击“单击此处”，出现以下错误：

oops! something went wrong
error: redirect_uri_mismatch
error_description: redirect_uri did not match any client's registered redirect_uris
state: bi14wv

URL类似于：

https://openid-connect.onelogin.com/oidc/auth?client_id=XXXXXXXXXXXXXXXXXXXXXX&redirect_uri=https://localhost:8081/login&response_type=code&scope=openid%20profile%20email&state=bi14wv

如果我在OneLogin“管理”面板的“重定向URI”列表中添加https://localhost:8081/login（最后带有“ login”），则会发生以下情况：当我转到https://localhost:8081/并单击“单击此处”时，将显示OneLogin表单。然后，我用我的用户登录，然后出现以下消息：

Whitelabel Error Page
This application has no explicit mapping for /error,so you are seeing this as a fallback.
Tue Nov 05 15:32:02 PST 2019
There was an unexpected error (type=Unauthorized,status=401).
Unauthorized

此错误页面的网址类似于：

https://localhost:8081/login?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&state=ZZZZZ

如您所见，在指定的重定向URI（https://localhost:8081）之后有一个“登录”，我认为这可能是由于在解决方案中编写了index.html的方式。

由于OneLogin门户网站不接受带有http（仅https）的重定向URI，因此我需要在application.yml中添加几行以启用SSL：

security:
  oauth2:
    client:
      clientId: XXXXXXXXXXXXXXXXXXXXXX
      clientSecret: XXXXXXXXXXXXXXXXXXXXX
      accessTokenUri: https://openid-connect.onelogin.com/oidc/token
      userauthorizationUri: https://openid-connect.onelogin.com/oidc/auth
      tokenName: access_token
      authorizedGrantTypes: authorization_code
      authenticationScheme: form
      clientAuthenticationScheme: form
      scope: openid,profile,email
    resource:
      userInfoUri: https://openid-connect.onelogin.com/oidc/me

server:
  port : 8081
  ssl:
    key-store-type: pkcs12
    key-store: classpath:XXXXXXXXXXXX
    key-store-password: XXXXXXXXXXXX
    key-alias: XXXXXXXXXXX

这是正确的吗？您能帮我找出我想念的东西吗？

xingtianxxxxx 回答：尝试在SpringBoot中使用OneLogin OIDC时出错（错误：redirect_uri_mismatch）

几件事：

我对您正在运行的演示客户端不熟悉，但是看起来正确的是，客户端生成的请求中的redirect_uri包含/login，并且您正确地将其添加到了您的demo_uris列表中配置界面
https://localhost:8081/login?code=XX是来自成功身份验证的正确响应，问题必须出在客户端处理响应的方式以及HTML /login期望在您的应用中呈现的内容
OneLogin确实为http支持localhost，因此您不必麻烦SSL

我尝试了由OneLogin-https://developers.onelogin.com/openid-connect/samples提供的相同的演示客户端（Java Spring-授权代码流），并获得了未授权（401）。

启用了Spring Security DEBUG日志，发现无法获取访问令牌。

如果需要任何其他配置来获取访问令牌，请让我来。

这是跟踪日志：

2020-01-14 17:45:00.487 DEBUG 17920 --- [nio-8081-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/login'

2020-01-14 17:45:00.487 DEBUG 17920 --- [nio-8081-exec-6] uth2ClientAuthenticationProcessingFilter : Request is to process authentication

2020-01-14 17:45:00.495 DEBUG 17920 --- [nio-8081-exec-6] g.c.AuthorizationCodeAccessTokenProvider : Retrieving token from https://openid-connect.onelogin.com/oidc/token

2020-01-14 17:45:00.498 DEBUG 17920 --- [nio-8081-exec-6] g.c.AuthorizationCodeAccessTokenProvider : Encoding and sending form: {grant_type=[authorization_code],code=[YTAyOTgxYzctNmU4ZC00OTY1LTk2MjItNDc0YjE1YTQ1ZjMwXbQWtr74HMgMIv5K1ygC6xOiZzfO237Hq81l6zQ9JKGsT2xpkwrTrtojNvrirPK-vbQGrpk7ngg_9BQlgkeCnQ],redirect_uri=[http://localhost:8081/login],client_id=[***************],client_secret=[*********************************]}

2020-01-14 17:45:01.089 DEBUG 17920 --- [nio-8081-exec-6] uth2ClientAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token


org.springframework.security.authentication.BadCredentialsException: Could not obtain access token
    at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:107) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:60) [spring-security-oauth2-2.3.4.RELEASE.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1579) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_222]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_222]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.27.jar:9.0.27]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_222]

Caused by: org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException: Error requesting access token.
    at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:145) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]
    at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:209) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:221) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]
    at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:105) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]
    ... 53 common frames omitted

Caused by: org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized
    at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:81) ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:123) ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:102) ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport$AccessTokenErrorHandler.handleError(OAuth2AccessTokenSupport.java:246) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]
    at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:785) ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:743) ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:698) ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
    at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:137) ~[spring-security-oauth2-2.3.4.RELEASE.jar:na]

java onelogin spring spring-boot spring-security

本文链接：https://www.f2er.com/3155547.html

尝试在SpringBoot中使用OneLogin OIDC时出错（错误：redirect_uri_mismatch）

xingtianxxxxx 回答：尝试在SpringBoot中使用OneLogin OIDC时出错（错误：redirect_uri_mismatch）

大家都在问