20

I'm trying to setup a resource server to work with separate authorization server using spring security oauth. I'm using RemoteTokenServices which requires /check_token endpoint.

I could see that /oauth/check_token endpoint is enabled by default when @EnableAuthorizationServer is used. However the endpoint is not accessible by default.

Should the following entry be added manually to whitelist this endpoint?

http.authorizeRequests().antMatchers("/oauth/check_token").permitAll();

This will make this endpoint accessible to all, is this the desired behavior? Or am I missing something.

Thanks in advance,

sowdri
  • 2,193
  • 5
  • 23
  • 36

4 Answers4

21

You have to 

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
{
   oauthServer.checkTokenAccess("permitAll()");    
}

For more information on this ::

How to use RemoteTokenService?

Community
  • 1
  • 1
Pratik Shah
  • 1,782
  • 1
  • 15
  • 33
  • 4
    Wouldn't "isAuthenticated()" be better than "permitAll()"? – Dave Syer Nov 07 '14 at 07:43
  • I have written this because he is trying to achieve this in his above code. – Pratik Shah Nov 07 '14 at 08:46
  • @DaveSyer as per my understanding checkTokenAccess("isAuthenticated()") will open the endpoint for authenticated users. Then what is the need to again define http.authorizeRequests().antMatchers("/oauth/check_token").permitAll(); – truekiller Apr 02 '18 at 12:05
  • No need, as far as I am aware (assuming I understand the question). – Dave Syer Apr 03 '18 at 08:15
9

Just to clarify a couple of points, and to add some more information to the answer provided by Pratik Shah (and by Alex in the related thread):

1- The configure method mentioned is overridden by creating a class that extends AuthorizationServerConfigurerAdapter:

    @EnableAuthorizationServer
    @Configuration
    public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()");
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws     Exception {
            clients
                    .inMemory()
                    .withClient("ger-client-id")
                    .secret("ger-secret")
                    .authorizedGrantTypes("password")
                    .scopes("read", "write");
        }
    }

2- I suggest reading this Spring guide explaining the automatic configuration carried out by Spring Boot when we include the @EnableAuthorizationServer annotation, including an AuthorizationServerConfigurer bean. If you create a configuration bean extending the AuthorizationServerConfigurerAdapter as I did above, then that whole automatic configuration is disabled.

3- If the automatic configuration suits you just well, and you JUST want to manipulate the access to the /oauth/check_token endpoint, you can still do so without creating an AuthorizationServerConfigurer bean (and therefore without having to configure everything programmatically).

You'll have to add the security.oauth2.authorization.check-token-access property to the application.properties file, for example:

security.oauth2.client.client-id=ger-client-id
security.oauth2.client.client-secret=ger-secret
security.oauth2.client.scope=read,write

security.oauth2.authorization.check-token-access=permitAll()

Of course, you can give it an isAuthenticated() value if you prefer.

You can set the log level to DEBUG to check that everything is being configured as expected:

16:16:42.763 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/check_token']

There is no much documentation about these properties, but you can figure them out from this autoconfiguration class.

One last thing worth mentioning, even though it seems to be fixed in latest Spring versions, I just submitted an issue in the spring-security-oauth project; it seems that the token_check functionality is enabled by default if you add a trailing slash to the request:

$ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58
{"scope":["read","write"],"active":true,"exp":1544940147,"authorities":["ROLE_USER"],"client_id":"ger-client-id"}
Gerardo Roza
  • 2,746
  • 2
  • 24
  • 33
2

There are three POST parameters, namely client_id (user name), client_secret (password corresponding to the user name), token (token applied for), client_id, client_secret are different from the parameters in the /oauth/token interface

enter image description here

Jason
  • 21
  • 2
1

First, config token access expression:

@Override
public void configure(AuthorizationServerSecurityConfigurer securityConfigurer) throws Exception {
    securityConfigurer
            .allowFormAuthenticationForClients()
            .checkTokenAccess("isAuthenticated()")
            .addTokenEndpointAuthenticationFilter(checkTokenEndpointFilter());
}

Then, we need define a filter to process client authentication:

@Bean
public ClientCredentialsTokenEndpointFilter checkTokenEndpointFilter() {
    ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter("/oauth/check_token");
    filter.setAuthenticationManager(authenticationManager);
    filter.setAllowOnlyPost(true);
    return filter;
}
vr3C
  • 1,734
  • 19
  • 16
  • i follow the code above ,the "authenticationManager" is @autowird which comes from WebSecurityConfigurerAdapter.authenticationManagerBean(),but the filter used for oauth/token org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer#clientCredentialsTokenEndpointFilter is http.getSharedObject(AuthenticationManager.class) .these two authenticationManager are not the same one. so when i post data to "/oauth/check_token" get error like {"error": "invalid_client", "error_description": "Bad client credentials"} dont know why they are not same – phxism Jun 10 '20 at 13:23