Spring-Security-Oauth2 Full authentication is required to access this resource

Question

I am trying to use spring-security-oauth2 0 with Java based configuration  My  configuration is done  but when i deploy application on tomcat and hit the  oauth token url for access token  Oauth generate the follwoing error     lt oauth gt   lt error description gt Full authentication is required to access this resource lt  error description gt   lt error gt unauthorized lt  error gt   lt  oauth gt    My configuration is on Git hub  please click on link  The code is large  so refer to git  I am using chrome postman client for send request  follwing is my request    POST  dummy-project-web oauth token HTTP 1 1 Host  localhost 8081 Cache-Control  no-cache Content-Type  application x-www-form-urlencoded  grant type client credentials amp client id abc 40gmail com amp client secret 12345678    The error is just like  the URL is secure by Oauth  but in configuration  i give the all permission for access this URL  What actual this problem is

User · Answer

By default Spring OAuth requires basic HTTP authentication  If you want to switch it off with Java based configuration  you have to allow form authentication for clients like this    Configuration  EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter      Override   public void configure AuthorizationServerSecurityConfigurer oauthServer  throws Exception       oauthServer allowFormAuthenticationForClients

User · Answer

The reason is that by default the  oauth token endpoint is protected through Basic Access Authentication   All you need to do is add the Authorization header to your request   You can easily test it with a tool like curl by issuing the following command   curl exe --user abc gmail com 12345678 http   localhost 8081 dummy-project-web oauth token grant type client credentials

User · Answer

I had the same problem  but I solve this with the following class   import org springframework context annotation Bean  import org springframework context annotation Configuration  import org springframework security authentication AuthenticationManager  import org springframework security config annotation web configuration EnableWebSecurity  import org springframework security config annotation web configuration WebSecurityConfigurerAdapter  import org springframework security crypto password NoOpPasswordEncoder  import org springframework security crypto password PasswordEncoder    Configuration  EnableWebSecurity public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter         Bean      Override     public AuthenticationManager authenticationManager   throws Exception           return super authenticationManager                Bean     public PasswordEncoder passwordEncoder             return NoOpPasswordEncoder getInstance

User · Answer

You should pre authenticate the token apis   oauth token   extend ResourceServerConfigurerAdapter and override configure function to do this   eg   http sessionManagement   sessionCreationPolicy SessionCreationPolicy STATELESS  and   authorizeRequests   antMatchers   oauth token   permitAll    anyRequest   authenticated

User · Answer

This is incredible but real   csrf filter is enabled by default and it actually blocks any POST  PUT or DELETE requests which do not include de csrf token   Try using a GET instead of POST to confirm that this is it  If this is so then allow any HTTP method   Throws Exception  class  override fun configure http  HttpSecurity                    Allow POST  PUT or DELETE request               NOTE  csrf filter is enabled by default and it actually blocks any POST  PUT or DELETE requests        which do not include de csrf token              http csrf   disable        If you are obtaining a 401 the most intuitive thing is to think that in the request you have No Auth or you are missing something in the headers regarding authorization  But apparently there is an internal function that is filtering the HTTP methods that use POST and returns a 401  After fixing it I thought it was a cache issue with the status code but apparently not  GL  Disable csrf Demo

User · Answer

setting management security enabled false in application properties resolved the issue for me

User · Answer

The client id and client secret  by default  should go in the Authorization header  not the form-urlencoded body    Concatenate your client id and client secret  with a colon between them  abc gmail com 12345678  Base 64 encode the result  YWJjQGdtYWlsLmNvbToxMjM0NTY3OA   Set the Authorization header  Authorization  Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA

User · Answer

With Spring OAuth 2 0 7-RELEASE the following command works for me  curl -v -u abc gmail com 12345678 -d  grant type client credentials  http   localhost 9999 uaa oauth token   It works with Chrome POSTMAN too  just make sure you client and secret in  Basic Auth  tab  set method to  POST  and add grant type in  form data  tab

[java] Spring-Security-Oauth2: Full authentication is required to access this resource

Examples related to java

Examples related to oauth-2.0

Examples related to unauthorized

Examples related to spring-security-oauth2