3

I’m developing a Resource Server using Spring Security OAuth2(http://projects.spring.io/spring-security-oauth/docs/oauth2.html) which interacts with Authorization Server to retrieve/validate Auth Tokens. The OAuth Flow used here is ‘client credentials’. The Application is working fine when Resource Server starts after Authorization Server, but in cases when resource server starts before Authorization Server, all client requests are getting ‘invalid token’ error with status code 401.

I could think of using an interceptor to intercept the request using ClientHttpRequestInterceptor and have a retry logic. But is there a correct approach to achieve proper resiliency or recovery mechanism for Resource Server when Auth Server is not available for a short period time.

Any pointers would be helpful.

Haran
  • 1,040
  • 2
  • 13
  • 26

1 Answers1

0

There was a ResourceServerProperties issue where default filtering order was changed. Try this security.oauth2.resource.filter-order = 3

OAuth 2 Resource Filter The default order of the OAuth2 resource filter has changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1. This places it after the actuator endpoints but before the basic authentication filter chain. The default can be restored by setting security.oauth2.resource.filter-order = 3

Release note of oauth-2-resource-filter

Vijay Nandwana
  • 2,476
  • 4
  • 25
  • 42
  • Thanks for the response. I'm using Resource and Auth server separately. Could you please clarify how the filter-order makes a significance in my scenario(Attempt to fetch verifier key when OAuth2 Server not available for short time) – Haran Mar 29 '18 at 13:20