1

I have following Spring Boot OAuth configuration. I managed to get the access token in Postman with following POST request with username and password.

localhost:8080/oauth/token?grant_type=password
With header (Authorization: Basic <base64 client_id>)

It returns me an access_token. But when I used that token to access resource URLs as follows, it returns 401 Unauthorized error.

localhost:8080/api/customer
With header (Authorization : Bearer <access_token>)

Following is my OAuth configuration.

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

@Autowired
private UserDetailsService userDetailsService;

@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;

@Bean
public TokenStore tokenStore() {
    return new InMemoryTokenStore();
}


@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.tokenStore(tokenStore());
    endpoints.authenticationManager(authenticationManager);
    endpoints.userDetailsService(userDetailsService);
}

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer
            .allowFormAuthenticationForClients()
            .tokenKeyAccess("permitAll()")
            .checkTokenAccess("isAuthenticated()");
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
            .withClient("clientIdPassword")
            .scopes("read","write", "trust")
            .authorizedGrantTypes(
                    "password","authorization_code", "client_credentials", "refresh_token", "implicit");
}

}

Relevant part of my WebSecurityConfigurerAdapter implementation is as follows.

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http.headers().frameOptions().disable();
    http.authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS).permitAll()
            .antMatchers("/auth/token").permitAll()
            //.antMatchers("/**").hasAnyAuthority("ADMIN", "OPERATOR")
            .anyRequest().authenticated()
            .and().exceptionHandling().authenticationEntryPoint(new RESTAuthenticationEntryPoint())
            .and().cors().configurationSource(corsConfigurationSource())
            .and().csrf().disable()
            .formLogin()
            .successHandler(new RESTAuthenticationSuccessHandler(objectMapper, userDetailService))
            .failureHandler(new RESTAuthenticationFailureHandler())
            .and()
            .logout().logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler());
}

 @Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("*"));
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"));
    configuration.setExposedHeaders(Arrays.asList(headerName));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

@Bean
public AuthenticationTrustResolver getAuthenticationTrustResolver() {
    return new AuthenticationTrustResolverImpl();
}

Could you please show me what is wrong in my code which leads to 401 Unauthorized error even with a valid access_token.

Johna
  • 1,836
  • 2
  • 18
  • 29
  • 1
    Same issue like in this question: https://stackoverflow.com/questions/44234159/using-websecurityconfigureradapter-with-spring-oauth2-and-user-info-uri/44252949#44252949 – Afridi Jun 08 '17 at 07:02
  • @Afridi your suggestion worked. I extended the ResourceServerConfigurerAdapter in my resource server and added the method exactly as in your link. Thank you. – Johna Jun 08 '17 at 07:32
  • @Afridi Actually, now resources are loading without an access_token. Problem not solved. – Johna Jun 08 '17 at 08:12

0 Answers0