1

I have done successfully the following tutorial for setting up some springboot microservies that are secured by oauth2: https://blog.viadee.de/microservices-absichern-mit-spring-boot-netflix-zuul-und-oauth-2-0-teil-1

In the tutorial they hardcoded the dependency version of spring-security-oauth2-autoconfigure in both, the pom of the ResourceServer and the Auth-Server:

 <dependencyManagement>
  <dependency>
                <groupId>org.springframework.security.oauth.boot</groupId>
                <artifactId>spring-security-oauth2-autoconfigure</artifactId>
                <version>2.1.5.RELEASE</version>
  </dependency>
 </dependencyManagement>

It worked find. But now that I used the version 2.3.1.RELEASE for all my other spring dependencies I moved the spring-security-oauth2-autoconfigure dependency out of dependencyManagement to the "normal" depdencies and deleted ther version line, so that it takes the parents version:


    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.1.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.security.oauth.boot</groupId>
            <artifactId>spring-security-oauth2-autoconfigure</artifactId>
        </dependency>
    </dependencies>

And now that I have done that, I get

<InvalidTokenException>
    <error>invalid_token</error>
    <error_description>548d003e-c21e-445e-b184-d19fcc11ff4a</error_description>
</InvalidTokenException>

when I try to access my Resource-Server. But the token looks identical. It only has one more attribute called "active : true" when I check it at the auth-server by passing it to http://localhost:8001/oauth/check_token:

{
    "active": true,   <--- This is new
    "exp": 1593397136,
    "user_name": "admin",
    "authorities": [
        "POST_USER",
        "GET_USER",
        "ZUGRIFF_PRODUKT_KATALOG"
    ],
    "client_id": "api-gateway",
    "scope": [
        "default"
    ]
}

Does anybody have an idea what has changed? Is there another algorhytm? Do have have to do additional configuration? Or does the 2.3.1.RELEASE of spring-security-oauth2-autoconfigure does not exist? I would think that when a new Spring-Version ist released all components will be released too, with the same version. Am I wrong?

I know its hard so say without reading the tutorial, but maybe somebody has had the problem too.

I do not even know where to start searching. There seem to be endless possibilites to configure the security in spring and everybody ha only a little solution. I never found an overview of all possible dependecies and how they have to be combined. When I get something done by a tutorial I always have in my mind "How the hell should anybody figure this out".

Thanks for any idea or advice

MarkusJackson
  • 225
  • 2
  • 12

1 Answers1

0

The doc says that the libraries spring-security-oauth2 and spring-security-oauth2-autoconfigure are in maintenance. So it's best if you dont use it. Also please check the Oauth2 feature matrix.

For securing resource server, you only need org.springframework.boot:spring-boot-starter-oauth2-resource-server along with web.

Abhinaba Chakraborty
  • 3,488
  • 2
  • 16
  • 37
  • Thank you, but if I only use that dependency, then it cant resolve the import fpr the @EnableResourceServer Annotation: `org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer` – MarkusJackson Jul 20 '20 at 11:10
  • @MarkusJackson You dont need that annotation. Please check this gist https://gist.github.com/abhi2495/a7dbe58a99344430389855b37b7a0523 – Abhinaba Chakraborty Jul 20 '20 at 12:19