I'm trying to do an oauth2 authentication using Spring Security OAuth.
I've plugged an OAuth2ClientAuthenticationProcessingFilter to my security config, and with an AuthorizationCodeResourceDetails. I'm retrieving the authorization code, but the Oauth flow is broken, I'm not able to get the access_token.
Here is my configuration:
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* Moved from com.myscript.backend.configuration.WebApp.java
* https://stackoverflow.com/questions/20863489/characterencodingfilter-dont-work-together-with-spring-security-3-2-0 *
*/
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
characterEncodingFilter.setForceEncoding(true);
http.addFilterBefore(characterEncodingFilter, CsrfFilter.class);
String key = "**************************";
ApiPersistentTokenBasedRememberMeServices rememberMeServices = new ApiPersistentTokenBasedRememberMeServices(key, userDetailsService, adminTokenRepository);
// @formatter:off
http
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.csrf().disable()
.rememberMe()
.rememberMeServices(rememberMeServices)
.tokenRepository(adminTokenRepository)
.key(key)
.userDetailsService(userDetailsService)
.and()
.addFilterAfter(oauth2ClientContextFilter, SecurityContextPersistenceFilter.class)
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class)
.formLogin()
.loginProcessingUrl("/**/authentication/login*")
.usernameParameter("email")
.passwordParameter("password")
.successHandler(new RestAuthenticationSuccessHandler())
.failureHandler(new RestAuthenticationFailureHandler())
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_OK);
}
})
.logoutRequestMatcher(new AntPathRequestMatcher("/**/authentication/logout*"))
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/authentication/**", ...)
.permitAll()
.anyRequest()
.authenticated()
.and()
.anonymous();
// @formatter:on
}
private Filter ssoFilter() {
OAuth2ClientAuthenticationProcessingFilter ssoFilter = new OAuth2ClientAuthenticationProcessingFilter("/**/authentication/login/sso");
final OAuth2RestTemplate template = new OAuth2RestTemplate(sso());
ssoFilter.setRestTemplate(template);
return ssoFilter;
}
@Bean
protected OAuth2ProtectedResourceDetails sso() {
AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
details.setId("sso");
details.setClientId("*******");
details.setClientSecret("*******");
details.setAccessTokenUri("http://sso.test.com/oauth/token");
details.setUserAuthorizationUri("http://sso.test.com/oauth/authorize");
details.setPreEstablishedRedirectUri("http://localhost:8894/api/v3.0/admin/authentication/login/sso");
details.setScope(Arrays.asList("read", "write"));
details.setUseCurrentUri(false);
return details;
}
And at least I'm redirected to: http://localhost:8894/api/v3.0/admin/authentication?code=YjMXjl&state=ktv3am#
