Invalid access token on accessing unsecured resource oauth2

Question

I have implemented spring-security-oauth2 in application, with lots of efforts. And everything is working fine. The resource are being accessed with authorization token only. But when I try to access unsecure resource , with Authorization Header, it validates access token.

And if the access token is valid then its working right, but if the access token is invalid, it shows me error Invalid access_token.

Answer 1

You must be configuring the HTTP pattern in your OAuth configuration file. Check if you configure the URLs with '*'

<http pattern="/detail/**" create-session="never"
        entry-point-ref="oauthAuthenticationEntryPoint"
        xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false" />
        <!-- intercept-url pattern -->
        <intercept-url pattern="/detail/**" access="IS_AUTHENTICATED_FULLY" />
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
    </http>

For example in above configuration, I have made all the APIs secured which start 'detail'. You may also have unknowingly/unintentionally made an API secured. Make sure you don't!

Answer 2

Spring security intercepts every request and check for validity of access_token unless explicitly user specifies to permit the access of URl. Like if you want not to intercept the url pattern and check the authentication, then code would be like

<http ...>
    <intercept-url pattern="/app/**" access="IS_AUTHENTICATED_FULLY" />
   <intercept-url pattern="/oauth2/resource/**" access="ROLE_USER" />
</http>

But if you want to access resources without any security the you can do something like this :

<http pattern="/resources/**" security="none"/>

Hope this solves your problem