CODEWITHSUNDEEP
javaspringspring-bootoauthoauth-2.0
user962206
user962206

Reputation: 16147

Spring oauth2 /oauth/token invalid credentials

Here's my Application.java

@SpringBootApplication
@RestController
@EnableResourceServer
@EnableAuthorizationServer
public class Application {

    @RequestMapping(value = { "/user" }, produces = "application/json")
    public Map<String, Object> user(OAuth2Authentication user) {
        Map<String, Object> userInfo = new HashMap<>();
        userInfo.put("user", user.getUserAuthentication().getPrincipal());
        userInfo.put("authorities", AuthorityUtils.authorityListToSet(user.getUserAuthentication().getAuthorities()));
        return userInfo;
    }


    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }


}

WebSecurityConfigurer.java

@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .antMatchers("/oauth/token").permitAll().anyRequest().authenticated().and().formLogin().and().httpBasic();
    }

    @Override
    @Bean
    public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("john.carnell").password("password1").roles("USER")
                .and()
                .withUser("william.woodward").password("password2").roles("USER", "ADMIN");
    }
}

My Oauth2Config

@Configuration
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("eagleeye")
                .secret("thisissecret")
                .authorizedGrantTypes("refresh_token", "password", "client_credentials")
                .scopes("webclient", "mobileclient");
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
                .authenticationManager(authenticationManager)
                .userDetailsService(userDetailsService);
    }
}

I am trying to retrieve an access token though POSTMAN however, this error keeps showing up

 {
  "timestamp": 1491436452371,
  "status": 401,
  "error": "Unauthorized",
  "message": "Bad credentials",
  "path": "/oauth/token/"
}

These are values I'm passing in through POSTMAN

enter image description here

enter image description here

As you can I'm passing in the correct values so I doubt that it's the credentials that's causing the error

Upvotes: 0

Views: 2849

Answers (2)

Chris Rong
Chris Rong

Reputation: 131

You should encrypt the client secret (thisissecret)

@Autowired
private PasswordEncoder passwordEncoder;

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
            .withClient("eagleeye")
            //.secret("thisissecret")
            .secret(passwordEncoder.encode("thisissecrete"))
            .authorizedGrantTypes("refresh_token", "password", "client_credentials")
            .scopes("webclient", "mobileclient");
}

The error comes up because of BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)

public boolean matches(CharSequence rawPassword, String encodedPassword) {
    if (encodedPassword == null || encodedPassword.length() == 0) {
        logger.warn("Empty encoded password");
        return false;
    }
    if (!BCRYPT_PATTERN.matcher(encodedPassword).matches()) {
        logger.warn("Encoded password does not look like BCrypt");
        return false;
    }

    return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
}

if (!BCRYPT_PATTERN.matcher(encodedPassword).matches())

If your client secret is not encrypted, the following exception is thrown.

Encoded password does not look like BCrypt

Upvotes: 1

Harsh Gupta
Harsh Gupta

Reputation: 197

I agree with Luke Bajada. I had the same problem and the fix i had to do is to add @ComponentScan annotation and also import this module where i was writing all the code into the parent module by adding dependency.

Upvotes: 0

Related Questions