Reputation: 21
Spring Boot OAuth2 Resource Server - Error by calling user-info-uri or token-info-uri
I try to build a spring boot oauth2 authorzation and resource server separatly.
To get the authentication of the request token the resource server call the configrued URI.
security:
oauth2:
resource:
user-info-uri: http://localhost:9999/uaa/user
In the authorization server I implemented the method /user as described in some tutorials, for example
https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v
@SpringBootApplication
@RestController
@EnableAuthorizationServer
public class ApplicationAuthorizationServer {
...
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
}
In spring boot the autoconfiguration create a UserInfoTokenService which will be used by the the OAuth2AuthenticationProcessingFilter to call the method /user which expected a return type Map.
The first question is!
A Principal isn't a Map. How works it together?
The second question is!
If the UserInfoTokenService calls the method /user on the authorization server the parameter Principal is null, and the authetification fails.
Who fills the Principal parameter with a value?
And the last question is!
Because I invest so much time vainly I try to use the other URI
security:
oauth2:
resource:
token-info-uri: http://localhost:9999/uaa/oauth/check_token
But if I define only this URI the OAuth2AuthenticationProcessingFilter use the DefaultTokenService and try to find the token in the In-Memory token store of the resource server. The service didn't find them and return with an authentication error.
Spring Boot autoconfiguration should create a service like TokeInfoTokenService for example to call the token-info endpoint.
Why in this case the DefaultTokenService is created?
Could someone help me?
Upvotes: 2
Views: 2892
Answers (1)
Reputation: 65
i can might provide you with some answers:
A Principal isn't a Map. How works it together? The map returned will be taken by Spring security and then the single keys will be mapped to the fields of the Principal. So if the map includes the field "authorities" this will be mapped to the principals authorities. Same with user_name etc.
Who fills the Principal parameter with a value? In case of the follwing configuration:
security:
oauth2:
resource:
token-info-uri: http://localhost:9999/uaa/oauth/check_token
The RemoteTokenServices.java loads the Principal in the loadAuthentication(String accessToken) method and adds all the values by using the token converter.
Hopes this helps..
Upvotes: 1
Related Questions
- Invalid token in spring boot resource server
- Spring Boot Resource Server Invalid Access Token
- Spring boot + oauth2 : Full authentication is required to access this resource
- Spring Boot Resource Server Invalid Token
- Spring Boot OAuth2 ResourceServer 401 with PermitAll
- Spring Boot oauth2 : Full authentication is required to access this resource
- Spring security oAuth 2.0 (Invalid token does not contain resource id (oauth2-resource))
- Unable to access resources with access_token : spring boot Oauth2
- Spring boot Oauth2 - Security incompatibility between Authorization and Resource server
- Spring boot OAuth2 - Insufficient Scope for this resource