我正在尝试配置能够完成基本OAuth2流程的OAuth2服务器（有关示例，请参阅此处）。

抱歉问了这么长的问题

我的第一个尝试是能够执行authorization_code流。

我有以下配置：

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig
        extends WebSecurityConfigurerAdapter {

    ....

        @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
              .userDetailsService(userDetailsService)
              .passwordEncoder(passwordEncoder());
    }

...

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .formLogin().loginPage("/login").permitAll()
                .and()
                .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
                .and()
                .authorizeRequests().anyRequest().authenticated();
    }

...

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

我的服务器配置

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorServerConfig
        extends AuthorizationServerConfigurerAdapter {

    @Inject
    private TokenStore tokenStore;

    @Inject
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
            .tokenStore(tokenStore)
            .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security
            .allowFormAuthenticationForClients()
            .checkTokenAccess("authenticated()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        .inMemory()
                .withClient("foo")
                .secret("foo")
                .authorizedGrantTypes("authorization_code","password", "refresh_token")
                .scopes(new String[] { "read", "write" })
    }

确实我的授权代码流工作正常！当我尝试执行密码流时，问题开始了，如下所示：

POST localhost:8200/oauth/token
Content-Type: application/x-www-form-urlencoded
Accept:application/json
Authorization:Basic Zm9vOmZvbw=="
username=admin&password=admin&grant_type=password&scope=read%20write&client_secret=foo&client_id=foo&

我的问题是授权头被忽略了，不管它是否存在，结果都是一样的，它给我返回了access_token和refresh_token

如果我尝试按如下方式启用基本身份验证，请启用ClientUserDetailsService，从数据库JDBC读取客户端：

public class SecurityConfig
        extends WebSecurityConfigurerAdapter {

    ....

@Bean
public ClientDetailsUserDetailsService   clientDetailsUserDetailsService(ClientDetailsService clientDetailsService){
    // JDBC clientDetailsService
    return new ClientDetailsUserDetailsService(clientDetailsService);
}


        @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
              .userDetailsService(clientDetailsUserDetailsService());
    }

...

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    DaoAuthenticationProvider p = new DaoAuthenticationProvider();
    p.setUserDetailsService(userDetailsService);
    p.setPasswordEncoder(passwordEncoder());
    return new ProviderManager(Lists.newArrayList(p));
    //        return super.authenticationManagerBean();
    }

    }

现在我所取得的成就是有基本的身份验证工作正常，但我松了authorization_code流，因为基本的身份验证现在是针对clientid和秘密，而不是用户的实际凭据

我错过了什么吗？我怎么能同时拥有这两种流呢？请帮帮我，我已经挣扎了好几天了。

一些类似的问题，但没有任何运气：

• 在Spring Security OAuth2中注入自定义userDetailsService的问题
• 找不到Spring Boot OAuth 2.0用户详细信息用户