diff --git a/doc/WPS365授权错误排查指南.md b/doc/WPS365授权错误排查指南.md index d0309e0..19fe988 100644 --- a/doc/WPS365授权错误排查指南.md +++ b/doc/WPS365授权错误排查指南.md @@ -1,6 +1,8 @@ # WPS365 授权错误排查指南 -## 错误信息 +## 常见错误类型 + +### 1. invalid_request (40000001) - redirect_uri不匹配 ```json { @@ -12,14 +14,31 @@ } ``` -## 错误含义 +**错误含义**:redirect_uri参数值与WPS365平台配置的回调地址不一致 -这个错误可能由以下原因导致: +### 2. invalid_scope (40000005) - scope权限无效 ⚠️ + +```json +{ + "code": 40000005, + "msg": "invalid_scope", + "debug": { + "desc": "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'file.read,ksheet.read,user.info'." + } +} +``` + +**错误含义**:请求的scope权限格式不正确,或者应用未申请这些权限 + +## 错误含义总览 + +授权错误可能由以下原因导致: 1. **缺少必需参数** - 授权请求中缺少某个必需的参数 2. **参数值无效** - 某个参数的值格式不正确 3. **参数重复** - 某个参数在请求中出现了多次 4. **redirect_uri不匹配** - redirect_uri参数值与WPS365平台配置的回调地址不一致 +5. **scope无效** - scope权限格式不正确或未申请 ## 排查步骤 diff --git a/ruoyi-admin/src/main/resources/application.yml b/ruoyi-admin/src/main/resources/application.yml index d868130..6cacffa 100644 --- a/ruoyi-admin/src/main/resources/application.yml +++ b/ruoyi-admin/src/main/resources/application.yml @@ -27,3 +27,11 @@ wps365: token-url: https://openapi.wps.cn/oauth2/token # 刷新Token地址 refresh-token-url: https://openapi.wps.cn/oauth2/token + # OAuth授权请求的scope权限(可选) + # 如果不配置,默认使用空格分隔的格式:file.read ksheet.read user.info + # 如果报错invalid_scope,请检查WPS365平台后台显示的scope格式,常见格式: + # 1. 空格分隔:file.read ksheet.read user.info + # 2. 逗号分隔:file.read,ksheet.read,user.info + # 3. 冒号格式:file:read ksheet:read user:info + # 请根据WPS365平台后台"权限管理"中显示的scope格式进行配置 + # scope: file.read ksheet.read user.info diff --git a/ruoyi-system/src/main/java/com/ruoyi/jarvis/config/WPS365Config.java b/ruoyi-system/src/main/java/com/ruoyi/jarvis/config/WPS365Config.java index cc5d7eb..06eb4e0 100644 --- a/ruoyi-system/src/main/java/com/ruoyi/jarvis/config/WPS365Config.java +++ b/ruoyi-system/src/main/java/com/ruoyi/jarvis/config/WPS365Config.java @@ -41,6 +41,9 @@ public class WPS365Config { /** 刷新Token地址 */ private String refreshTokenUrl = "https://openapi.wps.cn/oauth2/token"; + /** OAuth授权请求的scope权限(可选,如果不配置则使用默认值) */ + private String scope; + /** * 配置初始化后验证 */ @@ -117,5 +120,13 @@ public class WPS365Config { public void setRefreshTokenUrl(String refreshTokenUrl) { this.refreshTokenUrl = refreshTokenUrl; } + + public String getScope() { + return scope; + } + + public void setScope(String scope) { + this.scope = scope; + } } diff --git a/ruoyi-system/src/main/java/com/ruoyi/jarvis/service/impl/WPS365OAuthServiceImpl.java b/ruoyi-system/src/main/java/com/ruoyi/jarvis/service/impl/WPS365OAuthServiceImpl.java index e151f8b..ad85f2c 100644 --- a/ruoyi-system/src/main/java/com/ruoyi/jarvis/service/impl/WPS365OAuthServiceImpl.java +++ b/ruoyi-system/src/main/java/com/ruoyi/jarvis/service/impl/WPS365OAuthServiceImpl.java @@ -92,9 +92,29 @@ public class WPS365OAuthServiceImpl implements IWPS365OAuthService { log.debug("授权URL参数 - response_type: code"); // scope参数(必需,根据WPS365文档) - String scope = "file.read,ksheet.read,user.info"; - authUrl.append("&scope=").append(scope); - log.debug("授权URL参数 - scope: {}", scope); + // 优先使用配置文件中指定的scope,如果没有配置则使用默认值 + // 注意:WPS365的scope格式可能是空格分隔,而不是逗号分隔 + String scope = wps365Config.getScope(); + if (scope == null || scope.trim().isEmpty()) { + // 默认scope,如果报错invalid_scope,请检查WPS365平台支持的scope格式 + // 常见格式: + // 1. 逗号分隔:file.read,ksheet.read,user.info + // 2. 空格分隔:file.read ksheet.read user.info + // 3. 冒号格式:file:read ksheet:read user:info + // 请根据WPS365平台后台显示的scope格式进行配置 + scope = "file.read ksheet.read user.info"; // 尝试空格分隔 + } + scope = scope.trim(); + + // URL编码scope参数 + try { + String encodedScope = java.net.URLEncoder.encode(scope, "UTF-8"); + authUrl.append("&scope=").append(encodedScope); + log.debug("授权URL参数 - scope: {} (编码后: {})", scope, encodedScope); + } catch (java.io.UnsupportedEncodingException e) { + log.error("Scope URL编码失败", e); + authUrl.append("&scope=").append(scope); + } // state参数(推荐,用于防止CSRF攻击) if (state == null || state.trim().isEmpty()) {