9

I am following this sample code from Spring Security OAuth.

After I got the access token when I try to check the token

curl -X POST http://localhost:9999/uaa/oauth/check_token -d "token=e3f44c4f-f8f2-45c4-9f9e-c7dd1f583a1f"

I get the following error:

{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

I tried passing client id and secret.

curl -X POST acme:acmesecret@localhost:9999/uaa/oauth/check_token -d "token=e3f44c4f-f8f2-45c4-9f9e-c7dd1f583a1f"

I get 403 status. 

{"timestamp":1437683976536,"status":403,"error":"Forbidden","message":"Access is denied","path":"/uaa/oauth/check_token”}

I am unable to figure out what is going wrong. Any help here is much appreciated.

brain storm
  • 30,124
  • 69
  • 225
  • 393
  • Could you please specify what is the definition of `../uaa/oauth/check_token`? I am asking because there is no such standard endpoint.. – nKognito Jul 31 '15 at 13:12
  • it is `/oauth/check_token` which validates the access token. `/uaa/` is just contextPath. – brain storm Aug 01 '15 at 18:26
  • What exactly it does? If you have a token already why you have to validate it? If `check_token` endpoint already secured with oauth then you have to provide an Authentication header within your request and not the parameter... This header should be: `Authentication: Bearer YOUR_TOKEN` – nKognito Aug 01 '15 at 18:38
  • 1
    `check_token` is not secured with oauth. please have a look at link in the post above to get more information on its use – brain storm Aug 02 '15 at 22:21

1 Answers1

16

Try to play with /check_token authorization rights via:

public class OAuthSecurityConfig extends AuthorizationServerConfigurerAdapter {
   @Override 
   public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { 
       oauthServer.checkTokenAccess("permitAll()"); 
   }
}
nKognito
  • 6,297
  • 17
  • 77
  • 138
  • 6
    Instead of using oauthServer.checkTokenAccess("permitAll()"); I will suggest using oauthServer.checkTokenAccess("isAuthenticated()"); which is more secure than opening it up. Any client wanting to check token will have to supply their client credentials – Seun Matt May 07 '19 at 10:24
  • @SeunMatt what with Single Page Applications and Implict or Authorization Code flow? I mean, SPA client can't authenticate itself because it is insecure to store client credentials in SPA app – IHaveHandedInMyResignation Apr 23 '21 at 11:33