错误处理： oauth2 client访问oauth2 server 的user info 端点, 返回401 invalid_user_info_response

oauth2 client访问oauth2 server 的user info 端点； 返回401 invalid_user_info_response

日志是： invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: 401 null]
onAuthenticationFailure request = [org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@50eeb3fd], response = [org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterResponse@5e294790], exception = [org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: 401 null]

通过抓包，发现，Cannot convert access token to JSON

具体是

请求：
GET http://192.168.1.103:8081/auth/user/me HTTP/1.1
Accept: application/json
Authorization: Bearer 036685d2-ed5a-48c7-a5c7-a135a9e49468
User-Agent: Java/1.8.0_231
Host: 192.168.1.103:8081
Connection: keep-alive

响应：
HTTP/1.1 401
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: x-requested-with, authorization
Pragma: no-cache
WWW-Authenticate: Bearer realm="oauth2-resource", error="invalid_token", error_description="Cannot convert access token to JSON"
Cache-Control: no-store
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Date: Wed, 13 Jul 2022 08:02:17 GMT
Content-Length: 83

{"error":"invalid_token","error_description":"Cannot convert access token to JSON"}

测试发现就是，如果把 自己注册的TokenStore 去掉就好了，为什么呢？

@Bean  
public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) {
    return new JwtTokenStore(jwtAccessTokenConverter);
}

调试半天，终于发现：

@Configuration
public class ResourceServerConfiguration extends WebSecurityConfigurerAdapter implements Ordered {

    private int order = 3;

    @Autowired(required = false)
    private TokenStore tokenStore;

    @Autowired(required = false)
    private AuthenticationEventPublisher eventPublisher;

    @Autowired(required = false)
    private Map<String, ResourceServerTokenServices> tokenServices;

    @Autowired
    private ApplicationContext context;

    private List<ResourceServerConfigurer> configurers = Collections.emptyList();

    @Autowired(required = false)
    private AuthorizationServerEndpointsConfiguration endpoints;
    
    ...
}

原来是 ResourceServerConfiguration里面有@Autowired，把我创建的JwtTokenStore注册进去了，但是呢

调试发现其实有多个 DefaultTokenServices实例， 有的是使用InMemoryTokenStore（测试发现是 AuthorizationServer）， ResourceServer使用的是JwtTokenStore

这样就出问题了，AuthorizationServer 返回的是普通的access_token：
{"access_token":"036685d2-ed5a-48c7-a5c7-a135a9e49468","token_type":"bearer","expires_in":42363,"scope":"user_info"}

然后oauth2 client 使用它访问oauth2 server 的user info 端点， 然后ResourceServer使用JwtTokenStore 来解析它，尝试从其中获取 用户信息，结果就自然解析不了，报错了！

注意：
AuthorizationServerEndpointsConfigurer、 ResourceServerSecurityConfigurer 各有各自的 tokenStore，两者最好是相同。

解决方法是，在配置自定义的AuthorizationServerConfigurerAdapter的时候，给endpoints的tokenStore也设置为相同jwtTokenStore, 这样就不会有转换问题了

public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
                .accessTokenConverter(jwtAccessTokenConverter)
                .tokenStore(jwtTokenStore) 
        ;
        super.configure(endpoints);
    }
    ...

更正

测试发现，仅仅配置.tokenStore(jwtTokenStore) 是不行的，其实只需要配置 accessTokenConverter 为jwtAccessTokenConverter即可；也就是：

public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
                .accessTokenConverter(jwtAccessTokenConverter) 
        ;
        super.configure(endpoints);
    }
    ...

why，因为accessTokenConverter 才是真正复杂发放 accessToken 的地方， 而且注意AuthorizationServerEndpointsConfigurer的tokenStore()
tokenStore() 其实会尝试根据accessTokenConverter生成tokenStore， 如果JwtAccessTokenConverter则生成JwtTokenStore

	private TokenStore tokenStore() {
		if (tokenStore == null) {
			if (accessTokenConverter() instanceof JwtAccessTokenConverter) {
				this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter());
			}
			else {
				this.tokenStore = new InMemoryTokenStore();
			}
		}
		return this.tokenStore;
	}

然后就可以看到oauth/token端点返回正确的jwt格式的token了！

请求：
POST http://192.168.1.103:8081/auth/oauth/token HTTP/1.1
Accept: application/json;charset=UTF-8
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Authorization: Basic UjJkcHhRM3ZQcnRmZ0Y3MjpmRHc3TXBrazVjekhOdVNSdG1oR21BR0w0MkNheFFCOQ==
User-Agent: Java/1.8.0_231
Host: 192.168.1.103:8081
Connection: keep-alive
Content-Length: 98

grant_type=authorization_code&code=3Xfg5J&redirect_uri=http%3A%2F%2F192.168.1.103%3A8082%2FdoLogin

响应： 
{"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTc3NDI5OTcsInVzZXJfbmFtZSI6ImEiLCJhdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwianRpIjoiODNjNzNkYWEtMWM2OC00NTBmLWI0MDEtZWU3YjRhZWQ5ZDMyIiwiY2xpZW50X2lkIjoiUjJkcHhRM3ZQcnRmZ0Y3MiIsInNjb3BlIjpbInVzZXJfaW5mbyJdfQ.mq1tHm4DMOgIgIvQd1JcoKhqDPR79cxOLV9g3sKnv8U","token_type":"bearer","expires_in":43152,"scope":"user_info","jti":"83c73daa-1c68-450f-b401-ee7b4aed9d32"}