0

I've been migrating my microsservices to Springboot 3.0.2, and now i have to use the spring security version 6, but i'm facing a problem when the request build the request body to OAuth Provider in background, when i see the logs i realized that field client_secret is always forgotten, that why, client_secret is missed in request and Oauth Provider return a 401 UNAUTHORIZED with reason:

Decoded [{error=true, type=invalid_client, message=Missing client_secret parameter, details={name=OAuth2Error, message=Missing client_secret parameter, headers={WWW-Authenticate=Basic realm="Service"}, code=401, error=invalid_client, error_description=Missing client_secret parameter}}]

Its important to say, before migrating to spring security 6, in other words, when i used the spring securty 5.X it was working successfully!

  1. I saw the application can retrieve the values from enviroment variables correctly.

  2. This log shows that field client_secret was ignored.

  3. Here we can see a successfully request by previous spring security version, the field client_secret was present.

  4. Here is my spring configuration

  5. This is my WebSecurityConfig

I tried to rewrite the WebSecurityConfig in several ways, but no one works.

Guilherme Marcelino da Silva
  • 3
  • 2
  • 1
    Please share your code, not pictures of your code. Also, have you reviewed the migration guide for [OAuth deprecations](https://docs.spring.io/spring-security/reference/5.8/migration/servlet/oauth2.html#_clientauthenticationmethod)? – Steve Riesenberg Feb 24 '23 at 16:11

1 Answers1

0

I believe you can replace post with client_secret_post in your application.yml.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26