sva605
sva605

Reputation: 1681

Invalid token does not contain resource id (oauth2-resource)

I'm learning OAuth2 and I have problems with client_credentials grant configuration. Here is some client-server example.

Client side (8080):

@SpringBootApplication
@EnableOAuth2Client
public class ClientApplication {

    public static void main(String[] args) {
        SpringApplication.run(ClientApplication.class, args);
    }

    @Bean
    @ConfigurationProperties("security.oauth2.client")
    public ClientCredentialsResourceDetails oAuthDetails() {
        return new ClientCredentialsResourceDetails();
    }

    @Bean
    public OAuth2RestTemplate restTemplate() {
        return new OAuth2RestTemplate(oAuthDetails());
    }
}

@Configuration
public class ClientSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }
}

@Controller
public class ClientController {

    @Autowired
    private OAuth2RestTemplate template;

    @GetMapping("/getServer")
    public String get() {
        template.getForEntity("http://localhost:8081/endpoint", String.class);
        return "index.html";
    }
}

Resource server side (8081):

@SpringBootApplication
@EnableResourceServer
public class ServerApplication {

    public static void main(String[] args) {
        SpringApplication.run(ServerApplication.class, args);
    }
}

@Configuration
public class ServerSecurity extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/actuator/**").permitAll();
    }
}

@RestController
public class ServerController {

    @GetMapping("/endpoint")
    public ResponseEntity<String> respond() {
        return new ResponseEntity<>("", HttpStatus.OK);
    }
}

When I hit client's /getServer, I get this exception:

org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException: Invalid token does not contain resource id (oauth2-resource)

If I remove ServerSecurity, ClientController works without throwing an exception, but server's actuator/health fails with 401.

What may be wrong?

ADDITIONAL INFO:

client's yml:

server:
  port: 8080

security:
  oauth2:
    client:
      grant-type: client_credentials
      clientId: __data__
      clientSecret: __data__
      accessTokenUri: https://dev-410899.oktapreview.com/oauth2/default/v1/token
      scope: web_app
    resource:
      id: oauth2-resource

server's yml:

server:
  port: 8081

security:
  oauth2:
    client:
      clientId: __data__
      clientSecret: __data__
    resource:
      tokenInfoUri: https://dev-410899.oktapreview.com/oauth2/default/v1/introspect

Upvotes: 0

Views: 4357

Answers (1)

JohanB
JohanB

Reputation: 2148

The default OAuth2 resource server id is oauth2-resource. (check ResourceServerSecurityConfigurer). You can set a custom resource server id:

@Override
public void configure(ResourceServerSecurityConfigurer oauthServer) {
    oauthServer
            .resourceId("your resource id");
}

You must make sure to give your client_credentials user access to the correct resource server id when issuing a token.

Upvotes: 1

Related Questions