Reputation: 528
spring security token request requires authentication
I am trying to implement Authorization Code Grant Flow of OAuth 2.0. But stuck with the issue of Authentication popup on token request.
Here is my code.
@SpringBootApplication
public class Main {
public static void main(String[] args) {
SpringApplication.run(Main.class, args);
}
}
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("abc").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and().csrf().disable();
}
}
@Configuration
@EnableAuthorizationServer
public class AuthServerOAuth2Config
extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("test")
.secret("test_secret")
.authorizedGrantTypes("authorization_code")
.scopes("write");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.authorizationCodeServices(authorizationCodeServices())
.authenticationManager(authenticationManager)
.tokenStore(tokenStore())
.approvalStoreDisabled();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new InMemoryAuthorizationCodeServices();
}
}
To get token I do the following steps:
Using browser go to: http://localhost:9000/oauth/authorize?response_type=code&client_id=test&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=write
First it redirects me to a Login form, where I enter username and passord: admin abc
- Then it asks if I allow to provide the permission to my "test" client.
- It redirects me to "redirect uri": http://localhost:8080?code=XXX
- Then I copy code and use Google Advanced Rest Client to send Token Request: POST on http://localhost:9000/oauth/token?client_id=test&grant_type=authorization_code&code=XXX Without any headers. As far as I understand Poster should use Browser cookie.
- As result on token request I see a popup asking to fill username and password while expecting to get access token in response.
Please, help me to solve the issue. Should I add some headers to my token request? Or my Authorization Server config is not correct?
Upvotes: 2
Views: 791
Answers (1)
Reputation: 528
I found the reason of the issue by myself just reading others resources of OAuth2 specification. It it is required to send Authorization on token request with the following value:
Authorization: Basic {base64 encode of clientId:clientSecret}
Upvotes: 1
Related Questions
- Spring Security Returns with 403 when there is no Bearer token
- Spring Security OAuth2: InsufficientAuthenticationException
- Spring OAuth 2 Call /oauth/token Resulted in 401 (Unauthorized)
- Spring Security OAuth2 | InsufficientAuthenticationException
- Spring Security OAuth - Full authentication is required to access this resource
- Spring OAuth2 "Full authentication is required to access this resource"
- Spring Security OAuth2 Resource Server Always Returning Invalid Token
- Spring Security Oauth - Basic access authentication needed when sending token request
- Oauth2 Request Token using Spring Security
- Spring oauth2 validate token request