password for oauth token endpoint

Question

I am trying to add OAuth to a rest service that I am developing with Spring framework. I am using annotation based configuration and spring-boot to get it running.

I have the following class in my project:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecuritySettings extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin").password("123").authorities("ROLE_USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated()
            .and().httpBasic().and().csrf().disable();
    }
}

and my authorization server configuration is as follows:

@Configuration
@EnableAuthorizationServer
public static class MyAuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("web")
                .authorizedGrantTypes("password")
                .authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT","ROLE_USER")
                .scopes("read", "write")
                .resourceIds(RESOURCE_ID);
    }
 }

When I make a GET request to /oauth/token/ end point I am asked to enter HTTP basic credentials. When I try to login with the admin user then the following is logged

o.s.s.o.provider.endpoint.TokenEndpoint  : Handling error: NoSuchClientException, No client with requested id: admin

Entering username as web works, but I don't know the password for it. A default password is logged but it doesn't work either.

Using default security password: f23087f8-58ce-e3d-bc62-58bf0963e75c

So what is this password? Where can I find it? How can I set it?

Answer 1

The API you are using is from this builder class.

The token endpoint is used by client applications to request access tokens for resources. It isn't used by browser end users. OAuth2 clients are usually allocated a "client secret" which they can use to authenticate at the endpoint, generally with Basic authentication as described in the OAuth 2.0 spec.

So to answer your specific question, you would use the "secret" method on the builder API, and use the value to authenticate as the client:

clients.inMemory().withClient("web")
    .authorizedGrantTypes("password")
    .secret("webclientsecret")
    ...

Also, the "password" grant means that the client requests tokens using an end users ID and password, just to make sure that's what you actually intend. It's not related to the password issue here.

Answer 2

This is the OAuth access token. It is based on user login and password and used to access protected resources. URL "/oauth/token" is used to fetch access tokens instead of available Request Token. This request is digitally signed on the basis of Request Token secret.

The Oauth protocol uses this access tokens in this way:

1. Application-Consumer gets Request Token.

2. User is redirected on the Service Provider's site and authorizes Request Token there. (If authorization is made via Http basic, then you should add request header with name "Authorization" and value "Basic EncodeBase64("name:password")", where EncodeBase64 is a function, "name" and "password" are user name and user password.

3. Application-Consumer exchanges Request Token on Access Token.

4. Application-Consumer sends authorized requests to the service's API.

You can't find additional info in OAuth 2 Developers Guide and Spring Social Reference

I hope you've got answer to your question(or get closer to it). =)