4

I've been stuck for hours trying to figure out what in the world is going wrong with this Spring Security OAuth2 implementation.

The error occurs when I go to hit the /oauth/token endpoint:

localhost:8080/my-oauth-practice-app/oauth/token

Error: InsufficientAuthenticationException, There is no client authentication. Try adding an appropriate authentication filter.

AUTHORIZATION SERVER CONFIGURATION

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {


    @Autowired
    @Qualifier("authenticationManagerBean")
    AuthenticationManager authenticationManager;

    @Autowired
    DefaultTokenServices tokenServices;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        super.configure(endpoints);
        endpoints.tokenServices(this.tokenServices).authenticationManager(this.authenticationManager);

    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        super.configure(security);
        security.tokenKeyAccess("permitAll()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("clientid").secret("clientpass").authorizedGrantTypes("password").scopes("read").autoApprove(true);
    }


}

RESOURCE SERVER CONFIGURATION

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Autowired
    DefaultTokenServices tokenServices;

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        super.configure(resources);
        resources.tokenServices(this.tokenServices);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests().anyRequest().hasRole("USER");
    }

}

GENERAL WEB SECURITY CONFIGURATION

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Primary
    @Bean
    DefaultTokenServices tokenServices() {
        DefaultTokenServices d = new DefaultTokenServices();
        d.setAccessTokenValiditySeconds(600);
        d.setRefreshTokenValiditySeconds(1000);
        d.setTokenStore(new InMemoryTokenStore());
        return d;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").hasRole("USER");
    }


    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}
TyRyDurden
  • 331
  • 4
  • 15

1 Answers1

3

You should check WebSecurityConfigurerAdapter method like this:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/webjars/**", "/oauth/**");
}

remove "/oauth/**" path. otherwise

TokenEndpoint.postAccessToken(Principal principal, @RequestParam Map<String, String> parameters)

principal will be null.

许大卫
  • 39
  • 3
  • When Principal is null, it can mean that spring security chain was not invoked, before reaching the method. possible fix can be found https://stackoverflow.com/questions/31504556/spring-oauth2-there-is-no-client-authentication-try-adding-an-appropriate-aut/54142390#54142390 – Damiani Jan 11 '19 at 08:05