授权服务器未验证客户端注册表

Question

我正在使用Jhipster创建一个用于微服务测试的项目，为此我创建了UAA（Oauth2），网关和微服务。 为了进行身份验证测试，我通过在授权标签中传递用户名/密码，csrf令牌和“基本身份验证”数据，由邮递员向地址http：//本地主机：8080 / auth /登录发出了请求。系统可以使用用户名和密码进行身份验证并返回令牌，但是在基本身份验证中输入的用户名和密码似乎不起作用，因为如果我放置或不放置任何信息，系统都会进行身份验证并返回令牌。 我想知道如何在UAA中进行配置，以同时验证授权中告知的密码和用户名？

Postman生成的用于验证身份的curl代码：

curl -X POST \
  http://localhost:8080/auth/login \
  -H 'Authorization: Basic d2ViX2FwcDM6Y2hhbmdlaXQ=' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/json' \
  -H 'Postman-Token: 1be3edc2-f13e-4a5c-87aa-f5f8aa5fd254' \
  -H 'X-XSRF-TOKEN: 6d194295-32ae-4bc7-803f-da5cd9d1f595' \
  -d '{
    "username":"admin",
    "password":"admin"
}'

configure ClientDetailsS​​erviceConfigurer中的UAAConfiguration类摘录如下：

@Configuration
@EnableAuthorizationServer
public class UaaConfiguration extends AuthorizationServerConfigurerAdapter implements ApplicationContextAware {
// ....
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        int accessTokenValidity = uaaProperties.getWebClientConfiguration().getAccessTokenValidityInSeconds();
        accessTokenValidity = Math.max(accessTokenValidity, MIN_ACCESS_TOKEN_VALIDITY_SECS);
        int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe();
        refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity);
        /*
        For a better client design, this should be done by a ClientDetailsService (similar to UserDetailsService).
         */
        clients.inMemory()
            .withClient(uaaProperties.getWebClientConfiguration().getClientId())
            .secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
            .scopes("openid")
            .autoApprove(true)
            .authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
            .accessTokenValiditySeconds(accessTokenValidity)
            .refreshTokenValiditySeconds(refreshTokenValidity)
            .and()
            .withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId())
            .secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret()))
            .scopes("web-app")
            .autoApprove(true)
            .authorizedGrantTypes("client_credentials")
            .accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds())
            .refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe());
    }
// ....
}

在application-dev中，文件的末尾看起来像这样（它似乎正在设置默认客户端，但是当我更改它时，令牌结果不会改变）：

uaa:
    key-store:
        name: keystore.jks
        password: password
        alias: selfsigned
    web-client-configuration:
        # Access Token is valid for 5 mins
        access-token-validity-in-seconds: 300
        # Refresh Token is valid for 7 days
        refresh-token-validity-in-seconds-for-remember-me: 604800
        client-id: web_app
        secret: changeit

奇怪的是，当检查令牌信息时，它会显示client_id = web_app：

{
  "user_name": "admin",
  "scope": [
    "openid"
  ],
  "exp": 1533775148,
  "iat": 1533774848,
  "authorities": [
    "ROLE_ADMIN",
    "ROLE_USER"
  ],
  "jti": "9dba460c-e66e-4a1d-8085-dfdbff055b56",
  "client_id": "web_app"
}