0

I have a spring boot project using the Feign client and handle the authorization via OAuth and JSON Web Tokens. After authorization you have to send the access token via the GET parameter. But instead of sending it as a GET parameter I would like to send it within the header. I couldn't find a way to do it. Anyone knows it?

My configuration:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

        clients.inMemory()
                .withClient(oAuth2ClientName)
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .secret(oAuth2ClientSecret)
                .accessTokenValiditySeconds(oAuth2AccessTokenValidSecs).
                refreshTokenValiditySeconds(oAuth2RefreshTokenValidSecs);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore())
                .accessTokenConverter(accessTokenConverter())
                .authenticationManager(authenticationManager);
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey(jwtSigningKey);
        return converter;
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        defaultTokenServices.setSupportRefreshToken(true);
        return defaultTokenServices;
    }
}

I already googled it but the stuff I found was kind of self engineered and looked quite complicated.

messy
  • 915
  • 6
  • 26

2 Answers2

0
  1. As an authorization service, the client must generate a token by calling GET/POST api of /oauth/token. Beside the clientId, clientSecret, username and password you must identify a grant_type. Anyways this call generate an access token as JWT token.
  2. The client gets the jwt token, extract the access token from and send it to the resource server as (And here is what are you asking about) Authorization Bearer header. Something similar to this Authorization Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJleHAiOjE0OTUxMjE0NzYsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiNGYyNzQxMmMtNzkyOC00MWE5LTliMjQtN2I4ZmNmMTdiOGRhIiwidGVuYW50IjoidDEiLCJjbGllbnRfaWQiOiJjbGllbnQxIn0.Hwo7T8cAEFVm2NvXQUURiV2uiVz0nHz6RtXbOrFzGaK09TnTJJQmY8VKXsOble7prkveWBqLpWJk9J-9PRCntPW2Tsh5bjQJoFkkfHvT0Vc0TFarbFOh7St567rv5w0mYBNCxD28CM6dv_FHiz5wIoeEUeqQFIqojE3qo-aoT0o1ts-mO-Qmz-Dtla4-wGAYVgs84gQQ_n-U0kZzk_F09iHMgZRAIWq1ot2O6EZ8HHzaHA1gTsq5iWOZyxZAkGO0MTRyZir6vf8PoCHMn2Ge1uePl2NS0-UI5E8ozs2EXyGRHY6p-ZQTGvrUIObf_ZBQGgd37EoDBkrPK65kVqpZfw
  3. The resource server must verify the JWT access token, and the config of the Resource server depends on if the resource server is tied with the authorization server, so they both exist in the same spring context.
mgalala
  • 106
  • 8
0

If you want to do it with the latest Spring Boot libraries, see my response on how to get client_credentials working on https://stackoverflow.com/a/65741386/698471

Javi Vazquez
  • 517
  • 6
  • 21