当一个 accessToken 失效后,通过 POST /authserver/refresh 得到的新 accessToken 仍然是无效的。
先通过 POST /authserver/authenticate 请求验证后,得到一个有效的 accessToken 65fdbac29c5a44e49bb1c6224ea2af86。
请求体:
{
"username":"littleqiu@littleservice.cn",
"password":"here_is_my_password",
"requestUser":true,
"agent":{
"name":"Minecraft",
"version":1
}
}
返回的内容:
{
"accessToken": "65fdbac29c5a44e49bb1c6224ea2af86",
"clientToken": "333f0496243e461d9010e2095e64bc9c",
"availableProfiles": [
{
"id": "f702c5d39d5c457f80c691c664757092",
"name": "Little_Qiu"
}
],
"user": {
"id": "64f4796eeac0587f899dda4795600b3a",
"properties": []
},
"selectedProfile": {
"id": "f702c5d39d5c457f80c691c664757092",
"name": "Little_Qiu"
}
}
Yggdrasil API 插件的日志:
[2019-08-23 13:33:59] production.INFO: POST ["api/yggdrasil/authserver/authenticate"]
[2019-08-23 13:33:59] production.INFO: User [littleqiu@littleservice.cn] is try to authenticate with [{"requestUser":true,"agent":{"name":"Minecraft","version":1}}]
[2019-08-23 13:33:59] production.INFO: Serialized token stored to cache with expiry time 1296000 minutes {"keys":["TOKEN_65fdbac29c5a44e49bb1c6224ea2af86","ID_littleqiu@littleservice.cn"],"token":"[object] (Yggdrasil\\Models\\Token: {\"owner\":\"littleqiu@littleservice.cn\",\"profileId\":\"f702c5d39d5c457f80c691c664757092\",\"createdAt\":1566538439,\"clientToken\":\"333f0496243e461d9010e2095e64bc9c\",\"accessToken\":\"65fdbac29c5a44e49bb1c6224ea2af86\"})"}
[2019-08-23 13:33:59] production.INFO: New access token [65fdbac29c5a44e49bb1c6224ea2af86] generated for user [littleqiu@littleservice.cn]
[2019-08-23 13:33:59] production.INFO: User [littleqiu@littleservice.cn] authenticated successfully [{"availableProfiles":[{"id":"f702c5d39d5c457f80c691c664757092","name":"Little_Qiu"}]}]
这时使用 POST /authserver/validate 查询 65fdbac29c5a44e49bb1c6224ea2af86 是否有效,返回 204 No Content(accessToken 有效)。
请求体:
{
"accessToken": "65fdbac29c5a44e49bb1c6224ea2af86"
}
Yggdrasil API 插件的日志:
[2019-08-23 13:34:11] production.INFO: POST ["api/yggdrasil/authserver/validate"]
[2019-08-23 13:34:11] production.INFO: Check if an access token is valid {"clientToken":null,"accessToken":"65fdbac29c5a44e49bb1c6224ea2af86"}
当 65fdbac29c5a44e49bb1c6224ea2af86 暂时失效后,再次 POST /authserver/validate 查询,服务端返回 403 Forbidden,错误 ForbiddenOperationException
请求体:
{
"accessToken": "65fdbac29c5a44e49bb1c6224ea2af86"
}
返回的内容:
{
"error": "ForbiddenOperationException",
"errorMessage": "提供的 AccessToken 无效"
}
Yggdrasil API 插件的日志:
[2019-08-23 13:35:00] production.INFO: POST ["api/yggdrasil/authserver/validate"]
[2019-08-23 13:35:00] production.INFO: Check if an access token is valid {"clientToken":null,"accessToken":"65fdbac29c5a44e49bb1c6224ea2af86"}
[2019-08-23 13:35:00] production.INFO: HTTP/1.1 403 ForbiddenOperationException {"message":"提供的 AccessToken 无效","cause":""}
此时使用 65fdbac29c5a44e49bb1c6224ea2af86 来 POST /authserver/refresh 请求刷新 accessToken,得到一个新 accessToken c7bdbc17f7464bbe85ff3da722f4e650
请求体:
{
"accessToken": "65fdbac29c5a44e49bb1c6224ea2af86"
}
返回的内容:
{
"accessToken": "c7bdbc17f7464bbe85ff3da722f4e650",
"clientToken": "333f0496243e461d9010e2095e64bc9c",
"availableProfiles": [
{
"id": "f702c5d39d5c457f80c691c664757092",
"name": "Little_Qiu"
}
],
"selectedProfile": {
"id": "f702c5d39d5c457f80c691c664757092",
"name": "Little_Qiu"
}
}
Yggdrasil API 插件的日志:
[2019-08-23 13:35:19] production.INFO: POST ["api/yggdrasil/authserver/refresh"]
[2019-08-23 13:35:19] production.INFO: Try to refresh access token [65fdbac29c5a44e49bb1c6224ea2af86] with client token []
[2019-08-23 13:35:19] production.INFO: The given access token is owned by user [littleqiu@littleservice.cn]
[2019-08-23 13:35:19] production.INFO: The old access token [65fdbac29c5a44e49bb1c6224ea2af86] is now revoked
[2019-08-23 13:35:19] production.INFO: New token [c7bdbc17f7464bbe85ff3da722f4e650] generated for user [littleqiu@littleservice.cn]
[2019-08-23 13:35:19] production.INFO: Serialized token stored to cache with expiry time 1296000 minutes {"keys":["TOKEN_c7bdbc17f7464bbe85ff3da722f4e650","ID_littleqiu@littleservice.cn"],"token":"[object] (Yggdrasil\\Models\\Token: {\"owner\":\"littleqiu@littleservice.cn\",\"profileId\":\"f702c5d39d5c457f80c691c664757092\",\"createdAt\":1566538439,\"clientToken\":\"333f0496243e461d9010e2095e64bc9c\",\"accessToken\":\"c7bdbc17f7464bbe85ff3da722f4e650\"})"}
[2019-08-23 13:35:19] production.INFO: Access token refreshed [65fdbac29c5a44e49bb1c6224ea2af86] => [c7bdbc17f7464bbe85ff3da722f4e650]
此时 POST /authserver/validate 查询 c7bdbc17f7464bbe85ff3da722f4e650 是否有效,仍然返回 403 Forbidden,错误 ForbiddenOperationExpection
请求体:
{
"accessToken": "c7bdbc17f7464bbe85ff3da722f4e650"
}
返回的内容:
{
"error": "ForbiddenOperationException",
"errorMessage": "提供的 AccessToken 无效"
}
Yggdrasil API 插件的日志:
[2019-08-23 13:35:34] production.INFO: POST ["api/yggdrasil/authserver/validate"]
[2019-08-23 13:35:34] production.INFO: Check if an access token is valid {"clientToken":null,"accessToken":"c7bdbc17f7464bbe85ff3da722f4e650"}
[2019-08-23 13:35:34] production.INFO: HTTP/1.1 403 ForbiddenOperationException {"message":"提供的 AccessToken 无效","cause":""}
问题描述
当一个 accessToken 失效后,通过 POST
/authserver/refresh
得到的新 accessToken 仍然是无效的。先通过 POST
/authserver/authenticate
请求验证后,得到一个有效的 accessToken65fdbac29c5a44e49bb1c6224ea2af86
。这时使用 POST
/authserver/validate
查询65fdbac29c5a44e49bb1c6224ea2af86
是否有效,返回204 No Content
(accessToken 有效)。当
65fdbac29c5a44e49bb1c6224ea2af86
暂时失效后,再次 POST/authserver/validate
查询,服务端返回403 Forbidden
,错误ForbiddenOperationException
此时使用
65fdbac29c5a44e49bb1c6224ea2af86
来 POST/authserver/refresh
请求刷新 accessToken,得到一个新 accessTokenc7bdbc17f7464bbe85ff3da722f4e650
此时 POST
/authserver/validate
查询c7bdbc17f7464bbe85ff3da722f4e650
是否有效,仍然返回403 Forbidden
,错误ForbiddenOperationExpection