Reputation: 1648
Access denied for token revoke
I'm trying to implement token revoke using Spring OAuth2. I created this endpoint:
@PostMapping("/oauth/revoke")
public ResponseEntity<String> revoke(@RequestParam Map<String, String> params) {
RevocationService revocationService = revocationServiceFactory
.create(params.get("token_type_hint"));
revocationService.revoke(params.get("token"));
return ResponseEntity.ok().build();
}
Github code
I tried to configure these permissions:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.requestMatchers().antMatchers("/oauth/revoke").and()
.httpBasic().and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
I can successfully generate OAuth2 token but I get always Access denied usisng this request:
curl --location --request POST 'http://localhost:8080/oauth/revoke' \
--header 'Authorization: Basic YWRtaW46cXdlcnR5' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=.......' \
--data-urlencode 'token_type_hint=access_token'
Do you know how this issue can be solved? I suppose that HttpSecurity is not properly configured but I can't find a solution for this problem.
Upvotes: 0
Views: 376
Answers (2)
Reputation: 751
.csrf()
.disable()
.requestMatchers().antMatchers("/oauth/revoke").permitAll().and()
.httpBasic().and()
will disable required authentication for endpoint /oauth/revoke and will get rid off access denied error response. You did not specify if user requesting revoke operation must be authenticated or not. Note that supposed solution must go before any authentication restriction on parent path. If there is for example
.csrf()
.disable()
.requestMatchers().anyRequest().authenticated().and()
.requestMatchers().antMatchers("/oauth/revoke").permitAll().and()
.httpBasic().and()
It will not work since parent path ("/") requires authentication. In spring security authentication requirement must come after any unauthenticated sub-path.
Edit: Since you are using httpBasic if you want user's to be authenticated when requesting revoke operation you could try to use curl with following option's
curl -i --user user1:user1Pass
Upvotes: 1
Reputation: 219
Could you try to add @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) on your WebSecurityConfigurerAdapter at class level.
To override the access rules without changing any other auto-configured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) and configure it to meet your needs.
From https://docs.spring.io/spring-boot/docs/2.0.0.M5/reference/html/boot-features-security.html
Upvotes: 1
Related Questions
- Invalid token in spring boot resource server
- Facing Access Denied (403) - Forbidden error in spring security oauth2
- How to revoke auth token in spring security?
- Unauthorized status when accessing /oauth/token_key
- OAuth2RestTemplate ""Access token denied."
- Failed to find access token for token
- Spring Boot Oauth2 Refresh Token - IllegalStateException
- OAuth 2.0 with SpringSecurity. after successful get of the token no access
- Spring Security OAuth2 revoke token does not work
- Revoke JWT Oauth2 Refresh Token