oauth - uaa "InvalidClientException、クライアント ID が一致しません"

Question

https://github.com/cloudfoundry/uaaのクローンを作成し、サーバーをローカルで実行して認証コード フローをテストしました。

InvalidClientException, Client ID mismatch認証コードをトークンに交換しようとすると、奇妙なエラーが発生します。

私のクライアントは次のように定義されています。

#!/bin/bash
uaac client delete cfbrowser
uaac client add cfbrowser -s exploradorcf\
     --authorities uaa.none\
     --authorized_grant_types authorization_code\
     --scope 'uaa.user cloud_controller.read cloud_controller.write\
 openid password.write scim.userids cloud_controller.admin scim.read scim.write'\
     --redirect_uri "http://localhost:1223/oauth/code-grant"

次の curl コマンドを使用して、トークンを正常に取得できます。これは組み込みの client を使用していることに注意してくださいlogin。

curl 'http://localhost:8080/uaa/oauth/token' -i -X POST -H 'Accept: application/json'\
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=token&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%3A1223%2Foauth%2Fcode-grant&code=nL3MPz'
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 10 Aug 2016 17:50:27 GMT

{"access_token":"206f1b38e6ee4cbe9ace51038a4a70ad","token_type":"bearer","refresh_token":"206f1b38e6ee4cbe9ace51038a4a70ad-r","expires_in":43199,"scope":"openid oauth.approvals","jti":"206f1b38e6ee4cbe9ace51038a4a70ad"}

client_id と client_secret を変更すると:

curl 'http://localhost:8080/uaa/oauth/token' -i -X POST -H 'Accept: application/json'\
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -d 'client_id=cfbrowser&client_secret=exploradorcf&grant_type=authorization_code&response_type=token&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%3A1223%2Foauth%2Fcode-grant&code=nL3MPz'

「クライアント ID の不一致」が表示される

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
WWW-Authenticate: Bearer error="invalid_client", error_description="Client ID mismatch"
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 10 Aug 2016 18:04:17 GMT

{"error":"invalid_client","error_description":"Client ID mismatch"}

uaa-server.log ログを見ると、次のことがわかります。

[2016-08-10 22:44:42.493] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [loginAuthenticateRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/authenticate' with parameters={} and headers {Authorization=[bearer ], accept=[application/json]}
[2016-08-10 22:44:42.493] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/authorize' with parameters={source=login} and headers {accept=[application/json]}
[2016-08-10 22:44:42.494] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [loginTokenRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/token' with parameters={source=login, grant_type=password, add_new=} and headers {Authorization=[bearer ], accept=[application/json]}
[2016-08-10 22:44:42.494] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcherOld] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/authorize' with parameters={login={} and headers {accept=[application/json]}
[2016-08-10 22:44:42.494] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [passcodeTokenMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/token' with parameters={grant_type=password, passcode=} and headers {accept=[application/json, application/x-www-form-urlencoded]}
[2016-08-10 22:44:42.494] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/authorize' with parameters={response_type=token, source=credentials} and headers {accept=[application/json, application/x-www-form-urlencoded]}
[2016-08-10 22:44:42.494] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeApiRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/authorize' with parameters={response_type=code, client_id=} and headers {Authorization=[bearer ]}
[2016-08-10 22:44:42.494] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [xOauthCallbackRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/login/callback' with parameters={code=} and headers {}
[2016-08-10 22:44:42.495] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcherOld] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/authorize' with parameters={response_type=token, credentials={} and headers {accept=[application/json, application/x-www-form-urlencoded]}
[2016-08-10 22:44:42.495] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [autologinAuthorizeRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/oauth/authorize' with parameters={response_type=code, code=} and headers {}
[2016-08-10 22:44:42.495] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaRequestMatcher: [autologinRequestMatcher] Checking match of request : '/uaa/oauth/authorize'; '/uaa/autologin' with parameters={code=} and headers {}
[2016-08-10 22:44:42.499] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
[2016-08-10 22:44:42.499] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/uaa/oauth/authorize response_type:code
[2016-08-10 22:44:42.499] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/uaa/oauth/authorize response_type:code
[2016-08-10 22:44:42.500] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'uiSecurity' processing request GET /uaa/oauth/authorize
[2016-08-10 22:44:42.500] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- SessionResetFilter: Evaluating user-id for session reset:a6350566-abd3-4cc5-89e5-5cd83a5f0d70
[2016-08-10 22:44:42.513] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UserManagedAuthzApprovalHandler: Looking up user approved authorizations for client_id=login and username=marissa
[2016-08-10 22:44:42.515] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- JdbcApprovalStore: Filtering approvals with filter: [sql: (LOWER(user_id) = LOWER(:__wnq8ah_0) AND LOWER(client_id) = LOWER(:__wnq8ah_1)), params: {__wnq8ah_1=login, __wnq8ah_0=a6350566-abd3-4cc5-89e5-5cd83a5f0d70}]
[2016-08-10 22:44:42.516] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UserManagedAuthzApprovalHandler: Valid user approved/denied scopes are [openid, oauth.approvals]
[2016-08-10 22:44:42.518] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaTokenStore: [oauth_code] Removed 0 expired entries.
[2016-08-10 22:44:42.519] cloudfoundry-identity-server - ???? [http-nio-8080-exec-8] .... DEBUG --- UaaTokenStore: [oauth_code] Removed 0 old entries.
[2016-08-10 22:44:42.570] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthenticateRequestMatcher] Checking match of request : '/uaa/oauth/token'; '/uaa/authenticate' with parameters={} and headers {Authorization=[bearer ], accept=[application/json]}
[2016-08-10 22:44:42.570] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcher] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/authorize' with parameters={source=login} and headers {accept=[application/json]}
[2016-08-10 22:44:42.571] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginTokenRequestMatcher] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/token' with parameters={source=login, grant_type=password, add_new=} and headers {Authorization=[bearer ], accept=[application/json]}
[2016-08-10 22:44:42.571] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcherOld] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/authorize' with parameters={login={} and headers {accept=[application/json]}
[2016-08-10 22:44:42.571] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [passcodeTokenMatcher] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/token' with parameters={grant_type=password, passcode=} and headers {accept=[application/json, application/x-www-form-urlencoded]}
[2016-08-10 22:44:42.573] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
[2016-08-10 22:44:42.573] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/uaa/oauth/token response_type:token
[2016-08-10 22:44:42.574] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/uaa/oauth/token response_type:token
[2016-08-10 22:44:42.574] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'tokenEndpointSecurity' processing request POST /uaa/oauth/token
[2016-08-10 22:44:42.575] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] ....  INFO --- Audit: ClientAuthenticationSuccess ('Client authentication success'): principal=cfbrowser, origin=[remoteAddress=127.0.0.1, clientId=cfbrowser], identityZoneId=[uaa]
[2016-08-10 22:44:42.585] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaTokenStore: [oauth_code] Removed 0 expired entries.
[2016-08-10 22:44:42.586] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaTokenStore: [oauth_code] Removed 0 old entries.
[2016-08-10 22:44:42.589] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] ....  INFO --- TokenEndpoint: Handling error: InvalidClientException, Client ID mismatch

したがって、ログのクライアント ID に問題はありません。

2 つのクライアントの比較:

$ uaac client get login
  scope: openid oauth.approvals
  client_id: login
  resource_ids: none
  authorized_grant_types: client_credentials authorization_code refresh_token
  autoapprove: true
  authorities: clients.read emails.write scim.userids password.write idps.write
      notifications.write oauth.login scim.write critical_notifications.write
  lastmodified: 1470892674539
$ uaac client get cfbrowser
  scope: cloud_controller.read password.write scim.userids cloud_controller.write
      openid scim.write scim.read uaa.user cloud_controller.admin
  client_id: cfbrowser
  resource_ids: none
  authorized_grant_types: authorization_code refresh_token
  redirect_uri: http://localhost:1223/oauth/code-grant
  autoapprove: 
  authorities: uaa.none
  name: cfbrowser
  lastmodified: 1470894239209

面白いことを教えてくれません。

• エラーをログに記録するコードの周りにいくつかの印刷ステートメントを追加することを期待して、ソース内で「クライアント ID の不一致」文字列を検索しようとしましたが、 https://github.com/cloudfoundry/uaa内で見つけることができませんでした
• サーバー全体をデバッグするためにjdbを使用しようとしましたが、この jdb + gradleの問題に遭遇しました。
• 「クライアント ID の不一致」の一般的な検索を行ったところ、ここにある spring-security-oauth プロジェクトからのものである可能性が最も高いことがわかりました。

コード：

if (clientId != null && !clientId.equals(unconfirmedAuthorizationRequest.getClientId())) {
            // just a sanity check.
            throw new InvalidClientException("Client ID mismatch");
}

mvn installそのため、そのプロジェクトをローカルに 複製してビルドしようとしましたが、clientIdと比較したものをログに記録したいと思っていましたが、ビルドできませんでした:unconfirmedAuthorizationRequest.getClientId()

自助のために考えられることのほとんどを使い果たしたと感じています。私の質問は次のとおりです。

1. この「クライアント ID の不一致」が表示されるのはなぜですか?
2. このエラーとログを生成する Java ソース クラスとメソッドは何ですか?
3. この問題を自分でデバッグするには、他にどのような手順を実行する必要がありますか?