1

I have some problem.

The Token Endpoint (/oauth/token) is automatically secured using HTTP Basic authentication on the client's credentials. But I want to send my POST request to my Spring Authorization Server to get access token with parameters: grant_type=client_credentials, client_id, client_secret,

like this:

curl -H "Accept: application/json" http://localhost:9091/oauth/token -d grant_type=client_credentials -d client_id=d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20ee -d clent_secret=$2a$10$Wbnh2ApE7NVBf2H3Zuww5urW/27QmCMZ0JargKk8uaqMl0SuA4kMa

Now, I should send this request with Basic Authentication, like with:

curl -H "Accept: application/json" d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20e:secret@localhost:9091/oauth/token -d grant_type=client_credentials

How can I configure my Spring Security Oauth project? Please, help me

Thank you very much!

Following is the oauth Authorization server config:

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

  @Autowired
    private AuthenticationManager auth;

  @Autowired
    private DataSource dataSource;

  private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

  @Bean
    public JdbcTokenStore tokenStore() {
      return new JdbcTokenStore(dataSource);
    }

  @Bean
    protected AuthorizationCodeServices authorizationCodeServices() {
      return new JdbcAuthorizationCodeServices(dataSource);
    }

  @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
    throws Exception {
      security.passwordEncoder(passwordEncoder);
    }

  @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
    throws Exception {
      endpoints.authorizationCodeServices(authorizationCodeServices())
        .authenticationManager(auth)
        .tokenStore(tokenStore())
        .approvalStoreDisabled();
    }



  @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
      // @formatter:off
      clients.jdbc(dataSource)
        .passwordEncoder(passwordEncoder)
        .withClient("my-trusted-client")
        .authorizedGrantTypes("password", "authorization_code",
            "refresh_token", "implicit")
        .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
        .scopes("read", "write", "trust")
        .resourceIds("oauth2-resource")
        .accessTokenValiditySeconds(60)
        .and()
        .withClient("my-client-with-registered-redirect")
        .authorizedGrantTypes("authorization_code")
        .authorities("ROLE_CLIENT").scopes("read", "trust")
        .resourceIds("oauth2-resource")
        .redirectUris("http://anywhere?key=value")
        .and()
        .withClient("my-client-with-secret")
        .authorizedGrantTypes("client_credentials", "password")
        .authorities("ROLE_CLIENT").scopes("read")
        .resourceIds("oauth2-resource").secret("secret")

        .and()    .withClient("d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20ee")
        .authorizedGrantTypes("client_credentials")
        .authorities("ROLE_CLIENT")
        .scopes("read")
        .resourceIds("oauth2-resource")
        .secret("secret")
        .redirectUris("http://localhost:9090");;


      // @formatter:on
    }
}

Following is the security config:

@Configuration
@EnableWebSecurity
public class WebSecurityConfigOauth extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .anonymous()
                .disable();
        http
                .requestMatchers()
                .antMatchers("/oauth/token")
                .and()
                .authorizeRequests()
                .anyRequest()
                .fullyAuthenticated();
        http
                .httpBasic().disable()

                //.authenticationEntryPoint(oAuth2AuthenticationEntryPoint())

                .addFilterAfter(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);
        http
                .exceptionHandling()
                .accessDeniedHandler(oAuth2AccessDeniedHandler())
                .and()
                .csrf().disable();
    }

    @Bean
    OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint() {
        OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
        oAuth2AuthenticationEntryPoint.setRealmName("oauth/client");
        oAuth2AuthenticationEntryPoint.setTypeName("Basic");
        return oAuth2AuthenticationEntryPoint;
    }

    @Bean
    AuthenticationSuccessHandler authenticationSuccessHandler() {
        return new OAuth2AuthenticationSuccessHandler();
    }

    @Bean
    AuthenticationFailureHandler authenticationFailureHandler() {
        return new OAuth2AuthenticationFailureHandler();
    }

    @Bean
    OAuth2AccessDeniedHandler oAuth2AccessDeniedHandler() {
        return new OAuth2AccessDeniedHandler();
    }

    @Bean
    ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() {
        ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter = new CustomClientCredentialsTokenEndpointFilter();
        try {
            clientCredentialsTokenEndpointFilter.setAuthenticationManager(authenticationManager);
            clientCredentialsTokenEndpointFilter.setAuthenticationEntryPoint(oAuth2AuthenticationEntryPoint());
            clientCredentialsTokenEndpointFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());
            clientCredentialsTokenEndpointFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
            return clientCredentialsTokenEndpointFilter;
        }
        catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }

    static final class CustomClientCredentialsTokenEndpointFilter extends ClientCredentialsTokenEndpointFilter {

        @Override
        public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
            final Authentication authentication = super.attemptAuthentication(request, response);

            return authentication;
        }
    }

    static final class OAuth2AuthenticationFailureHandler implements AuthenticationFailureHandler {

        @Override
        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
            String s = request.toString();
        }
    }

    static final class OAuth2AuthenticationSuccessHandler implements AuthenticationSuccessHandler {

        @Override
        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
            String s = request.toString();
        }
    }
}
alex
  • 21
  • 3
  • Your second `curl` looks incorrect; anyway, `BasicAuthenticationFilter`will process "basic" authentication. But the filter only performs processing when the Authorization header is present. Can you provide your security config – ring bearer May 24 '16 at 10:18
  • It is example of the second curl request: curl -H "Accept: application/json" my-client-with-secret:secret@quiet-atoll-70789.herokuapp.com/oauth/token -d grant_type=client_credentials. I have had token by this request and by my request. – alex May 24 '16 at 10:31
  • It is my security config: – alex May 24 '16 at 10:34
  • I added code above – alex May 24 '16 at 11:12
  • http://stackoverflow.com/questions/38166613/spring-oauth2-disable-http-basic-auth-for-tokenendpoint maybe this can help you. – talipkorkmaz Aug 31 '16 at 10:31

0 Answers0