Spring Boot OAuth2具有基本身份验证和自定义UserDetailsService

我正在尝试配置能够完成基本OAuth2流的OAuth2服务器（有关示例，请参阅here） .

为长期问题道歉

我的第一次尝试是能够执行 authorization_code 流程 .

我有以下配置：

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig
        extends WebSecurityConfigurerAdapter {

    ....

        @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
              .userDetailsService(userDetailsService)
              .passwordEncoder(passwordEncoder());
    }

...

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .formLogin().loginPage("/login").permitAll()
                .and()
                .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
                .and()
                .authorizeRequests().anyRequest().authenticated();
    }

...

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

我的服务器配置

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorServerConfig
        extends AuthorizationServerConfigurerAdapter {

    @Inject
    private TokenStore tokenStore;

    @Inject
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
            .tokenStore(tokenStore)
            .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security
            .allowFormAuthenticationForClients()
            .checkTokenAccess("authenticated()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        .inMemory()
                .withClient("foo")
                .secret("foo")
                .authorizedGrantTypes("authorization_code","password", "refresh_token")
                .scopes(new String[] { "read", "write" })
    }

事实上我的授权代码流程正常！当我尝试执行密码流时问题开始如下：

POST localhost:8200/oauth/token
Content-Type: application/x-www-form-urlencoded
Accept:application/json
Authorization:Basic Zm9vOmZvbw=="
username=admin&password=admin&grant_type=password&scope=read%20write&client_secret=foo&client_id=foo&

我的问题是Authorization标头被忽略，无论结果是否相同，它都给了我access_token和refresh_token

如果我尝试按如下方式启用基本身份验证，请启用ClientUserDetailsService，从数据库JDBC中读取客户端：

public class SecurityConfig
        extends WebSecurityConfigurerAdapter {

    ....

@Bean
public ClientDetailsUserDetailsService   clientDetailsUserDetailsService(ClientDetailsService clientDetailsService){
    // JDBC clientDetailsService
    return new ClientDetailsUserDetailsService(clientDetailsService);
}


        @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
              .userDetailsService(clientDetailsUserDetailsService());
    }

...

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    DaoAuthenticationProvider p = new DaoAuthenticationProvider();
    p.setUserDetailsService(userDetailsService);
    p.setPasswordEncoder(passwordEncoder());
    return new ProviderManager(Lists.newArrayList(p));
    //        return super.authenticationManagerBean();
    }

    }

现在我所取得的是让基本身份验证正常工作但是我放弃了authorization_code流程，因为基本身份验证现在是针对clientid和secret而不是用户的实际凭据完成的

我错过了什么吗？我怎么能同时拥有这两种流量？请帮忙，我现在已经挣扎了好几天了 .

一些类似的问题，但没有任何运气：

• problems injecting custom userDetailsService in Spring Security OAuth2

• Spring Boot OAuth 2.0 UserDetails user not found