I am trying to use spring-security-oauth2.0
with Java based configuration. My configuration is done, but when i deploy application on tomcat and hit the /oauth/token
url for access token, Oauth
generate the follwoing error:
<oauth>
<error_description>Full authentication is required to access this resource</error_description>
<error>unauthorized</error>
</oauth>
My configuration is on Git hub, please click on link
The code is large, so refer to git. I am using chrome postman client for send request. follwing is my request.
POST /dummy-project-web/oauth/token HTTP/1.1
Host: localhost:8081
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=abc%40gmail.com&client_secret=12345678
The error is just like, the URL is secure by Oauth
, but in configuration, i give the all permission for access this URL. What actual this problem is?
This question is related to
java
oauth-2.0
unauthorized
spring-security-oauth2
setting management.security.enabled=false
in application.properties
resolved the issue for me.
With Spring OAuth 2.0.7-RELEASE the following command works for me
curl -v -u [email protected]:12345678 -d "grant_type=client_credentials" http://localhost:9999/uaa/oauth/token
It works with Chrome POSTMAN too, just make sure you client and secret in "Basic Auth" tab, set method to "POST" and add grant type in "form data" tab.
The reason is that by default the /oauth/token
endpoint is protected through Basic Access Authentication.
All you need to do is add the Authorization
header to your request.
You can easily test it with a tool like curl
by issuing the following command:
curl.exe --user [email protected]:12345678 http://localhost:8081/dummy-project-web/oauth/token?grant_type=client_credentials
You should pre authenticate the token apis "/oauth/token"
extend ResourceServerConfigurerAdapter
and override configure function
to do this.
eg:
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/oauth/token").permitAll().
anyRequest().authenticated();
This is incredible but real.
csrf filter is enabled by default and it actually blocks any POST, PUT or DELETE requests which do not include de csrf token.
If this is so then allow any HTTP method:
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
/**
* Allow POST, PUT or DELETE request
*
* NOTE: csrf filter is enabled by default and it actually blocks any POST, PUT or DELETE requests
* which do not include de csrf token.
*/
http.csrf().disable()
}
If you are obtaining a 401 the most intuitive thing is to think that in the request you have No Auth or you are missing something in the headers regarding authorization.
But apparently there is an internal function that is filtering the HTTP methods that use POST and returns a 401. After fixing it I thought it was a cache issue with the status code but apparently not.
GL
I had the same problem, but I solve this with the following class:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
The client_id
and client_secret
, by default, should go in the Authorization header, not the form-urlencoded body.
client_id
and client_secret
, with a colon between them: [email protected]:12345678
.YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
Authorization: Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
By default Spring OAuth requires basic HTTP authentication. If you want to switch it off with Java based configuration, you have to allow form authentication for clients like this:
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
}
Source: Stackoverflow.com