Grails Spring Securiy Oauth Provider plugin: Full authentication is required to access this resource

Question

I am using grails "Spring Security OAuth Provider" plugin. And I am able to get access code on response of below URL.

http://localhost:8080/oauthServer/oauth/authorize?response_type=code&client_id=test_client&scope=read&redirect_uri=http://example.com?

But when I send the request to get access token by access code using below URL, I am getting "Full authentication is required to access this resource" error message.

curl -header "Authorization: Basic bnVkZ2VDbGllbnQ6YjRkNzA3NmE3YTA4N2E4MWMzMTE2ZjZlNWQzZWY0MDJjNmQ4ZjM3Nw==" http://localhost:8080/oauthServer/oauth/token?grant_type=authorization_code&code=kuH8aC

Note: base64(client_id:client_secret)=bnVkZ2VDbGllbnQ6YjRkNzA3NmE3YTA4N2E4MWMzMTE2ZjZlNWQzZWY0MDJjNmQ4ZjM3Nw==

The full error message is given below.

<oauth>
 <error_description>
   Full authentication is required to access this resource
 </error_description>
 <error>unauthorized</error>
</oauth>

What I am missing. Please suggest.

Thanks

Update 1

Actually I am following the this documentation of Spring security oauth provider plugin.

There is my configuration setting.

// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'com.oauth.Client'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'com.oauth.AuthorizationCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'com.oauth.AccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'com.oauth.RefreshToken'
grails.plugin.springsecurity.logout.postOnly = false

//grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/client/index'

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.auth.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.auth.UserRole'
grails.plugin.springsecurity.authority.className = 'com.auth.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/oauth/authorize.dispatch':      ["isFullyAuthenticated() and (request.getMethod().equals('GET') or request.getMethod().equals('POST'))"],
    '/oauth/token.dispatch':          ["isFullyAuthenticated() and request.getMethod().equals('POST')"],
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/assets/**':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']
]

grails.plugin.springsecurity.providerNames = [
        'clientCredentialsAuthenticationProvider',
        'daoAuthenticationProvider',
        'anonymousAuthenticationProvider',
        'rememberMeAuthenticationProvider'
]

grails.exceptionresolver.params.exclude = ['password', 'client_secret']

grails.plugin.springsecurity.filterChain.chainMap = [
        '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter',
        '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter',
        '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter'
]

My controller is default one.

@Secured(["#oauth2.clientHasRole('ROLE_CLIENT')"])
    def clientRoleExpression() {
        render "client role expression"
    }

    @Secured(["ROLE_CLIENT"])
    def clientRole() {
        render "client role"
    }

    @Secured(["#oauth2.clientHasAnyRole('ROLE_CLIENT', 'ROLE_TRUSTED_CLIENT')"])
    def clientHasAnyRole() {
        render "client has any role"
    }

    @Secured(["#oauth2.isClient()"])
    def client() {
        render "is client"
    }

    @Secured(["#oauth2.isUser()"])
    def user() {
        // code
    }

    @Secured(["#oauth2.isUser()"])
    def getSubscriptionDetail() {
       //code
    }

    @Secured(["#oauth2.isUser()"])
    def getHistory(){
        //code 
    }

    @Secured(["#oauth2.denyOAuthClient()"])
    def denyClient() {
        render "no client can see"
    }

    @Secured(["permitAll"])
    def anyone() {
        render "anyone can see"
    }

    def nobody() {
        render "nobody can see"
    }

    @Secured(["#oauth2.clientHasRole('ROLE_TRUSTED_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('trust')"])
    def trustedClient() {
        render "trusted client"
    }

    @Secured(["hasRole('ROLE_USER') and #oauth2.isUser() and #oauth2.hasScope('trust')"])
    def trustedUser() {
        render "trusted user"
    }

    @Secured(["hasRole('ROLE_USER') or #oauth2.hasScope('read')"])
    def userRoleOrReadScope() {
        render "user role or read scope"
    }

Which grails version are you using? I think you should provide full authentication to your action. — user1791574, Feb 14 '15 at 18:18

score 0 · Answer 1 · answered Feb 24 '15 at 15:43

0

Your token endpoint configuration requires that the request be POST. Unless there's more to your curl command than shown above, you need to have something like

curl -X POST

in addition to your --header option.

answered Feb 24 '15 at 15:43

ai_guru

1
1

score 0 · Answer 2 · answered Mar 20 '15 at 11:27

0

I did not know the exact reason for this issue but this issue is not in the latest version of the plugin. Please use latest version of this plugin.

answered Mar 20 '15 at 11:27

Neeraj Bhatt

145
2
13

Grails Spring Securiy Oauth Provider plugin: Full authentication is required to access this resource

2 Answers2