使用 Azure AD、Spring Gateway 和多个微服务进行身份验证

Question

几个星期以来，我一直在努力解决这个问题，但被难住了。

我们正在尝试迁移到 SSO，当网关将令牌发送到下游服务时我遇到了一些问题。身份验证在网关中工作正常，我能够在 Spring 上下文中正确查看经过身份验证的用户。

我正在使用 Spring Boot 2.2.0。

当请求到达下游时，我收到错误

There was an unexpected error (type=Internal Server Error, status=500).
Signed JWT rejected: Invalid signature
com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:103)
    at com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.getAadJwtTokenValidator(UserPrincipalManager.java:94)
    at com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.buildUserPrincipal(UserPrincipalManager.java:85)
    at com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationFilter.doFilterInternal(AADAuthenticationFilter.java:78)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

在我开始介绍到目前为止通过调试学到的知识之前，让我向您展示我在应用程序中的所有配置：

弹簧网关：

Application.properties

spring.security.oauth2.client.registration.azure.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.azure.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.azure.scope=User.read
spring.security.oauth2.client.registration.azure.client-id=<<<My client ID>>>
spring.security.oauth2.client.registration.azure.client-secret=<<<My secret>>>
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/<<<Tenant id>>>/v2.0

azure.activedirectory.tenant-id=<<<Tenant id>>>
azure.activedirectory.active-directory-groups=Bench,Internal Projects

spring.cloud.gateway.routes[0].id=<<<App ID>>>
spring.cloud.gateway.routes[0].uri=<<<App URI>>>
spring.cloud.gateway.routes[0].predicates[0]=Path=<<<Path>>>
spring.cloud.gateway.routes[0].filters[0]=RewritePath=<<<Rewrit Path>>>
spring.cloud.gateway.default-filters[0]=TokenRelay

SecurityConfig

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
        http
                .csrf()
                .disable()
                .authorizeExchange()
                .pathMatchers("/eureka/**").hasAnyAuthority("SUPER_ADMIN")
                .anyExchange().authenticated()
                .and()
                .oauth2Login();
        return http.build();

Dependencies:

dependencies {
    implementation "io.jsonwebtoken:jjwt:0.7.0"
    implementation "jakarta.xml.bind:jakarta.xml.bind-api:2.3.2"
    implementation "org.glassfish.jaxb:jaxb-runtime:2.3.2"
    compile "org.springframework.security:spring-security-oauth2-client"
    compile "com.microsoft.azure:azure-active-directory-spring-boot-starter:2.2.2"
    implementation "org.springframework.boot:spring-boot-starter-logging"
    compile "org.springframework.boot:spring-boot-starter-security"
    implementation "org.springframework.boot:spring-boot-starter-data-redis"
    implementation "org.springframework.cloud:spring-cloud-starter-gateway"
    implementation "org.springframework.cloud:spring-cloud-starter-security"
    implementation "org.springframework.cloud:spring-cloud-starter-consul-all"
    implementation "org.springframework.cloud:spring-cloud-starter-config"
    implementation "redis.clients:jedis:3.1.0"

使用此配置，Spring Context 将在网关中设置，路径命中正确的 API 和端点，并将 access_token 下游传递给我的服务

现在，对于我的下游 API：

Application.properties

azure.activedirectory.client-id=<<<ID>>>
azure.activedirectory.client-secret=<<<Secret>>>

SecurityConfig

    @Autowired
    private AADAuthenticationFilter aadAuthFilter;

            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                        .csrf()
                        .disable()
                        .sessionManagement()
                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                        .and()
                        .authorizeRequests().anyRequest().permitAll()
                        .and()
                        .addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class)
                        .exceptionHandling()
                        .authenticationEntryPoint(globalAuthEntryPoint);
            }

这是我的设置。我也尝试过将它添加到我的 application.properties 中：（ spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://login.microsoftonline.com/common/discovery/keys 我也尝试过 v2.0 端点）

当我这样做时，我收到此错误：

Thu Jan 23 15:40:36 EST 2020
There was an unexpected error (type=Internal Server Error, status=500).
Signed JWT rejected: Invalid signature
com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:103)
    at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:283)
    at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:298)
    at org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.jwtDecoderByJwkKeySetUri(OAuth2ResourceServerJwtConfiguration.java:68)

据我了解，下游服务应该调用 Microsoft Graph 来获取用户信息/权限并将其设置在 Spring Context 中。看起来它在过滤器中失败之前就失败了。

谁能帮我弄清楚这个 Azure 的东西？