My problem in a very brief description is that I can't send the client-id I've configured from a web client.
In Details:
I've created a simple spring boot oauth2 server. The server works perfectly as expected, I request a token by sending user credentials and I receive a token by sending a post request using postman as:
trusted-app@localhost:8080/oauth/token
Notice I'm sending the client trusted-app
id as part of the url!
A successful response:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsib2F1dGgyX2FwcGxpY2F0aW9uIl0sInVzZXJfbmFtZSI6ImFkbWluIiwic2NvcGUiOlsicmVhZCIsIndyaXRlIiwidXNlcl9pbmZvIl0sImV4cCI6MTUzMDA5Njg5OSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9SRUdJU1RFUiIsIlJPTEVfQURNSU4iXSwianRpIjoiZTZjMjdlYmItN2ZkNC00MzU2LWFmYzgtNmQ5NTk4M2YwMWE0IiwiY2xpZW50X2lkIjoiQ2xpZW50SWQifQ.Xsi-9J7R5oeiaa29VAYgtLYFB971VMRLKAwpTYz0gNI",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsib2F1dGgyX2FwcGxpY2F0aW9uIl0sInVzZXJfbmFtZSI6ImFkbWluIiwic2NvcGUiOlsicmVhZCIsIndyaXRlIiwidXNlcl9pbmZvIl0sImF0aSI6ImU2YzI3ZWJiLTdmZDQtNDM1Ni1hZmM4LTZkOTU5ODNmMDFhNCIsImV4cCI6MTUzMjY0NTY5OSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9SRUdJU1RFUiIsIlJPTEVfQURNSU4iXSwianRpIjoiNzI5ZDViMDctN2E0Yy00MmEyLWEzYTQtMTk2MTY0YWU2YmNmIiwiY2xpZW50X2lkIjoiQ2xpZW50SWQifQ.QgNg7LwYs8M4UuBW1ntkqHPGugqFIbHG8XQUPARWq3M",
"expires_in": 43199,
"scope": "read write user_info",
"jti": "e6c27ebb-7fd4-4356-afc8-6d95983f01a4"
}
My problem is sending the same request from a javascript code, using any javascript client library, JQuery/Axios or anything, I always get an error:
{
"timestamp": 1530058939432,
"status": 401,
"error": "Unauthorized",
"message": "Full authentication is required to access this resource",
"path": "/oauth/token"
}
clientId:trusted-app
, but this didn't work for me, not as a query parameter, not as a header, and not as a form parameter.And now I'm totally confused, isn't it allowed to send client id in the url from a web client ? Is there a way where I can configure spring security to read the clientId from a header, query, or form parameter ?
Here are the
AuthorizationServerConfigurerAdapter:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Value("${security.oauth2.resource.id}")
private String resourceId;
@Value("${access_token.validity_period}")
private int accessTokenValiditySeconds;
@Value("${refresh_token.validity_period}")
private int refreshTokenValiditySeconds;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private SecretKeyProvider keyProvider;
@Bean
public UserDetailsService userDetailsService() {
return new AccountServiceImpl();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.tokenServices(tokenServices())
.tokenStore(tokenStore())
.accessTokenConverter(accessTokenConverter());
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("trusted-app")
.authorizedGrantTypes("authorization_code", "implicit", "client_credentials", "password", "refresh_token")
.authorities("ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "user_info")
.resourceIds(resourceId)
.accessTokenValiditySeconds(accessTokenValiditySeconds)
.refreshTokenValiditySeconds(refreshTokenValiditySeconds)
.autoApprove(true);
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
try {
converter.setSigningKey(keyProvider.getKey());
} catch (URISyntaxException | KeyStoreException | NoSuchAlgorithmException | IOException | UnrecoverableKeyException | CertificateException e) {
e.printStackTrace();
}
return converter;
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
defaultTokenServices.setTokenEnhancer(accessTokenConverter());
return defaultTokenServices;
}
}
And the WebSecurityConfigurerAdapter:
@Configuration
@EnableWebSecurity(debug = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setPasswordEncoder(bCryptPasswordEncoder);
provider.setUserDetailsService(userDetailsService);
return provider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(bCryptPasswordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.authorizeRequests()
.antMatchers("/oauth/token").anonymous()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/images/**");
}
}
I'm only sharing these two classes for now, because I believe the solution I need can only be fixed here, and I could be wrong.
You can configure authorization server so that client can authenticate via form data as below,
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
}
Then either you can send as form data
curl -X POST \
http://localhost:54040/oauth/token \
-H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
-F grant_type=system \
-F username=udara \
-F password=udara123 \
-F client_id=wfw3e5454353wwrwrtr \
-F client_secret=432fwrw5425242543w245325
or as x-www-form-urlencoded
curl -X POST \
http://localhost:54040/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=internal&username=udara&password=udara123&client_id=wfw3e5454353wwrwrtr&client_secret=432fwrw5425242543w245325'