Spring security oauth2 - Can't access /oauth/token route

Question

I've just begun to make an authentication server for my rest api by following this tutorial : https://jugbd.org/2017/09/19/implementing-oauth2-spring-boot-spring-security/. Everything went well until the very end where I just couldn't access /oauth/token route in order to authenticate.

I think I need a little more explanations in order to understand fully this authentication.

Thanks you, Matthieu Meunier

PS : Here are my classes :

ResourceServerConfig.java

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/api/secure/**").authenticated();
    }
}

AuthorizationServerConfig.java

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer serverSecurityConfigurer){
        serverSecurityConfigurer
                .tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()")
                .allowFormAuthenticationForClients();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception{
        clients.inMemory().withClient("android-client")
                .authorizedGrantTypes("client-credentials", "password", "refresh_token")
                .authorities("ROLE_CLIENT", "ROLE_ANDROID_CLIENT")
                .scopes("read", "write", "trust")
                .resourceIds("oauth2resource")
                .accessTokenValiditySeconds(5000)
                .secret("android-secret").refreshTokenValiditySeconds(50000);
    }
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints){
        endpoints.authenticationManager(authenticationManager)
                .allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
    }
}

Just below my Main

@Autowired
    CustomUserDetailsService userDetailsService;

    @Autowired
    public void authenticationManager(AuthenticationManagerBuilder builder) throws Exception{
        builder.userDetailsService(userDetailsService);
    }

And finally my CustomUserDetailsService and the UserService

CustomUserDetailsService.java

@Service
public class CustomUserDetailsService implements UserDetailsService {

    private final UserService userService;

    @Autowired
    public CustomUserDetailsService(UserService userService) {
        this.userService = userService;
    }

    @Override
    public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
        return this.userService.findByEmail(email);
    }
}

UserService.java

@Service
public class UserService {

    @Autowired
    MembreRepository membreRepository;

    public UserDetails findByEmail(String email){
        return membreRepository.findOneByEmail(email);
    }
}

Answer 1

By default, the endpoint /oauth/token is secure,

So to call this endpoint you need to authenticate as a Client. To do this, according to your settings, you need pass client_id and client_secret on POST body (your settings allow client authentication form .allowFormAuthenticationForClients()).

Try call endpoint with parameters:

URL

{{host}}/oauth/token

HEADER

Content-Type application/x-www-form-urlencoded

Post Params

grant_type: password
scope: read write
username: foo
password: bar
client_id: android-client
client_secret: android-secret

I use Postman to test