1

I am trying to add OAuth to a rest service that I am developing with Spring framework. I am using annotation based configuration and spring-boot to get it running.

I have the following class in my project:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecuritySettings extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin").password("123").authorities("ROLE_USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated()
            .and().httpBasic().and().csrf().disable();
    }
}

and my authorization server configuration is as follows:

@Configuration
@EnableAuthorizationServer
public static class MyAuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("web")
                .authorizedGrantTypes("password")
                .authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT","ROLE_USER")
                .scopes("read", "write")
                .resourceIds(RESOURCE_ID);
    }
 }

When I make a GET request to /oauth/token/ end point I am asked to enter HTTP basic credentials. When I try to login with the admin user then the following is logged

o.s.s.o.provider.endpoint.TokenEndpoint  : Handling error: NoSuchClientException, No client with requested id: admin

Entering username as web works, but I don't know the password for it. A default password is logged but it doesn't work either. 

Using default security password: f23087f8-58ce-e3d-bc62-58bf0963e75c

So what is this password? Where can I find it? How can I set it?

idursun
  • 6,261
  • 1
  • 37
  • 51

2 Answers2

2

The API you are using is from this builder class.

The token endpoint is used by client applications to request access tokens for resources. It isn't used by browser end users. OAuth2 clients are usually allocated a "client secret" which they can use to authenticate at the endpoint, generally with Basic authentication as described in the OAuth 2.0 spec.

So to answer your specific question, you would use the "secret" method on the builder API, and use the value to authenticate as the client:

clients.inMemory().withClient("web")
    .authorizedGrantTypes("password")
    .secret("webclientsecret")
    ...

Also, the "password" grant means that the client requests tokens using an end users ID and password, just to make sure that's what you actually intend. It's not related to the password issue here.

Community
  • 1
  • 1
Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • Hi! Thanks for the reply. You are right, that is exactly what I am trying to achieve here. I was using browser only to try out username/password combinations. I have actually read the page you linked before. Example request in the documentation sends a `Authorization` header, so in my case it should be something like `Basic encode64(web:webclientsecret)`. Am I correct? I still couldn't get it to work. – idursun Jul 08 '14 at 07:06
  • I have finally gotten it to work. I am accepting your answer because it actually answered what I was asking for so I could isolate the problem. – idursun Jul 08 '14 at 10:08
  • I found your answer while researching another problem related to client definition in Spring OAuth2. Are you willing to comment? Here is the link: http://stackoverflow.com/questions/36899386/null-client-in-oauth2-multi-factor-authentication – CodeMed Apr 29 '16 at 20:34
1

This is the OAuth access token. It is based on user login and password and used to access protected resources. URL "/oauth/token" is used to fetch access tokens instead of available Request Token. This request is digitally signed on the basis of Request Token secret.

The Oauth protocol uses this access tokens in this way:

  1. Application-Consumer gets Request Token.

  2. User is redirected on the Service Provider's site and authorizes Request Token there. (If authorization is made via Http basic, then you should add request header with name "Authorization" and value "Basic EncodeBase64("name:password")", where EncodeBase64 is a function, "name" and "password" are user name and user password.

  3. Application-Consumer exchanges Request Token on Access Token.

  4. Application-Consumer sends authorized requests to the service's API.

You can't find additional info in OAuth 2 Developers Guide and Spring Social Reference

I hope you've got answer to your question(or get closer to it). =)

zegoline
  • 574
  • 2
  • 8
  • 21
  • Thank you for the reply. I am actually making a post request to the token endpoint by using the grant_type: password as in [here](http://tools.ietf.org/html/rfc6749#section-4.3). username is `admin`, user password is `123` and the thing i am going to encode in the Authorization request header is going to be `Authorization: Basic [X]` where X is the encoded value of `web:clientsecret` pair. Am I right? What I am missing here? None of these passwords work. I always get `error: "Unauthorized" message: "Bad credentials"` – idursun Jul 08 '14 at 07:17