1

I'm trying to implement OAuth2 authentication with Google in my Spring Boot Angular application, but I'm getting an "invalid_request" error with the message "client_secret is missing". I have configured the client_id and client_secret in my application.yml file as follows:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            clientId: <my-client-id>
            clientSecret: <my-client-secret>

However, it seems that the client_secret is not being passed correctly in the OAuth2 authorization request. I've enabled debug logging for the Spring RestTemplate and the log shows that the client_secret is missing from the request:

HTTP POST https://www.googleapis.com/oauth2/v4/token
Writing [{grant_type=[authorization_code], code=[4/0EWygzh84wyVNXT4HcB_OaRr465vKH-a8mnQW5AuqCFA9uRVkbkvEMmq3RpV-qVxl1h1xgg], redirect_uri=[http://localhost:8014/demo/login/oauth2/code/google], client_id=[<my-client-id>]}] as "application/x-www-form-urlencoded;charset=UTF-8"

I'm not sure what's causing this issue. Any help would be appreciated. Thank you!

at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:144):

There is this line:

OAuth2AccessTokenResponse accessTokenResponse = getResponse(authorizationCodeAuthentication);

and in the authorizationCodeAuthentication i have clientRegistration that HAS client secret!!!:

ClientRegistration{registrationId='google', clientId='<my-client-id>', clientSecret='<my-client-secret>', clientAuthenticationMethod=org.springframework.security.oauth2.core.ClientAuthenticationMethod@4fcef9d3, authorizationGrantType=org.springframework.security.oauth2.core.AuthorizationGrantType@5da5e9f3, redirectUri='{baseUrl}/{action}/oauth2/code/{registrationId}', scopes=[openid, profile, email], providerDetails=org.springframework.security.oauth2.client.registration.ClientRegistration$ProviderDetails@4ec90377, clientName='Google'}
Ciro Dolce
  • 11
  • 2

1 Answers1

1

Had the same problem, make sure you're using:

clientAuthenticationMethod: client_secret_post in your application.yml

post was deprecated in Spring Security 5.5 in favor of client_secret_post

For reference: https://github.com/spring-projects/spring-security/issues/9220

Leonardo Rivera
  • 174
  • 1
  • 5