1

Given separate spring-security-oauth2 authorization and resource servers:

I expected the authorization server's /oauth/check_token endpoint to accept a Bearer token from a resource server in the Authorization header but it only accepts Basic auth. Note: I'm referring to the request auth token, not the token to be checked.

I think OAuth2AuthenticationProcessingFilter is responsible for extracting and validating Authorization: Bearer ..., but based on the javadoc it appears to be used only by resource servers to validate requests from users or other clients.

Should resource servers always provide Basic auth when communicating with the authorization server? What's the best practice? If Bearer tokens are acceptable, does the authorization server need to be configured as a resource server via @EnableResourceServer in order to get this functionality?

geg
  • 4,399
  • 4
  • 34
  • 35

1 Answers1

0

Note from the Javadoc for CheckTokenEndpoint:

Controller which decodes access tokens for clients who are not able to do so (or where opaque token values are used).

Since the client authenticates with the authorization server with Basic auth to grant access, it makes sense for the /oauth/check_token endpoint to require Basic auth as well.

Usually, the tokens the resource server receives are self-encoding (or backed by a token store), so it doesn't need to check the token by directly communicating with the authorization server anyway. Communication between the resource server and authorization server is not necessary.

If it does need to interact with the authorization server, it might be to obtain its public key if you're using JWTs. But there would be no real use in securing this endpoint, since it's a public key for a reason. Again, this would happen when the resource server starts up, and certainly not for every token it receives.

dur
  • 15,689
  • 25
  • 79
  • 125
NatFar
  • 2,090
  • 1
  • 12
  • 29
  • We are using JWTs. However, we want to enable clients to check if a token has been revoked for some critical endpoints (I understand this is non-standard) and this validation is tied into the auth server's /check_token endpoint. – geg May 08 '19 at 14:12
  • To your first point about clients authenticating with the auth server via basic auth, do you mean that there's no need to use anything other than basic auth because they would need to do so anyway the first time to get a token? ...and a purpose of OAuth is to protect creds from passing through non-auth servers, which is irrelevant in this case because the client is communicating with it directly? – geg May 08 '19 at 14:18
  • Yes; the client authenticates with the authorization server to generate the token. If the resource server wants to check the validity of a token, it would access a database that the authorization server updates instead of interacting with the authorization server directly. If not, just have the client validate the token directly with the auth server. – NatFar May 08 '19 at 15:17