3

First time Spring security user here. Trying to authenticate a user through OAuth2 "Implicit grant" flow in a Spring boot app using Google. Here is the WebSecurityConfig code:

@EnableWebSecurity
public class WebSecurityConfigForTokenAuth extends WebSecurityConfigurerAdapter {

@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;

@Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
private String jwkSetUri;

@Value("${google.client-id}")
private String clientId;

@Value("${google.iss}")
private String iss;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .authorizeRequests()
        .anyRequest().authenticated().and()
        .oauth2ResourceServer()
        .jwt().decoder(jwtDecoder());
}

@Bean
JwtDecoder jwtDecoder() {
    NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
            JwtDecoders.fromOidcIssuerLocation(issuer);        

    OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(clientId);
    OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(iss);
    OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<> 
    (withIssuer, audienceValidator);

    jwtDecoder.setJwtValidator(withAudience);

    return jwtDecoder;
}

}

Here is the application.yml:

spring:
  security:
    oauth2:
      client:
        registration:
         google:
          clientId: ****.apps.googleusercontent.com
          clientSecret: 5uZ-****-
          scope:
           - email
           - profile
      resourceserver:
        jwt:
          issuer-uri: https://accounts.google.com
          jwk-set-uri: https://accounts.google.com/.well-known/openid-configuration

google:
  client-id: ***.apps.googleusercontent.com
  clientSecret: 5uZ-***-
  iss: accounts.google.com

I am able to retrieve the token using SoapUI, like this: Getting token using SoapUI

and I am sending that token using Authorization: Bearer header in the request to my server at http://localhost:8080/list, I am getting the error saying invalid_token: Invalid_token error Any idea why spring security thinks this token is invalid?

BlaMath20
  • 31
  • 2
  • You might want to have a look at the documentation [javascript-implicit-flow](https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#oauth-2.0-endpoints_1) Why would you be using implicit flow for Java? As far as i know its only going to work with a client side language like javascript. – Linda Lawton - DaImTo Sep 15 '21 at 08:09
  • I am learning and wanted to do the simplest thing first. All I want to do is to retrieve an Access Token using SoapUI from Google and send that token to my spring server and see if the spring server is able to retrieve user info from google using that token. Not sure what this has to do with JavaScript though because I am not using JavaScript anywhere in this. – BlaMath20 Sep 15 '21 at 08:16
  • 1
    If you want the simplest thing first then go with [OauthPlayground](https://developers.google.com/oauthplayground/) click the gear on the top right corner and you can add your own client id. I would not be putting my private developer credentials into a third party app like SoapUI personally. Why not use use your [application](https://spring.io/guides/tutorials/spring-boot-oauth2/) to get you the access token you will have to do it eventually. – Linda Lawton - DaImTo Sep 15 '21 at 09:03
  • Sorry but could you please help me solve my current issue? As I have mentioned, retrieving the token is not my issue. I am focusing on the spring security part where the spring app is accessed using that token and the spring app needs to validate that token and get profile data from Google. If you have any suggestion on why it is saying token invalid I would be grateful. BTW, I verified that token is valid using https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=accessToken – BlaMath20 Sep 15 '21 at 09:29
  • Why not just send that request with spring then? Sorry i am having issues understanding why you are doing it this way. – Linda Lawton - DaImTo Sep 15 '21 at 09:58
  • How does it matter how I send a request to spring backend? It is basically a REST API which can be invoked by any client. The client could be an android app or an SPA. It will get the access token from google directly and pass it on to Spring back end to access the REST API. It is fairly straight forward and a common flow to implement. Again, the issue is spring is not able to process the token. It gets the token and generates and "Invalid Token" message. I need to fix that issue. Nothing else. – BlaMath20 Sep 15 '21 at 10:07
  • Invalid Token means that the token you are sending is not valid. It could be expired, it could be created wrong, You could be using it wrong you could be trying to use it with the wrong system. Unfortunately I don't understand what it is you are trying to do enough to help you further. I suggest again that you go though a tutorial that explains how OAuth should be used with Spring, because what you are doing is not how it is intended to work. This [example](https://spring.io/guides/tutorials/spring-boot-oauth2/) appears to show how to authorize a user to Google. Good luck. – Linda Lawton - DaImTo Sep 15 '21 at 10:39
  • I have a similar issue in my case: https://stackoverflow.com/questions/70036426/spring-boot-oauth2-resource-server-google In my case, the client application is just a Spring Boot application that authenticates the user via Google. Interesting point is that with Okta provider, everything works out of the box. – Samir Maksimov Nov 21 '21 at 12:25

0 Answers0