2

I have a spring boot client app which uses OAuth2RestTemplate as OAuth2Client. I have configured the OAuth2RestTemplate to call authserver and add token obtained from it to header for accessing resource server. The problem occured is that whenever i call the method in client app to access resource server using restTemplate, it used the token coming from header of the request of the client app instead of calling the auth server. It uses that token and the token gets rejected by my resource server. And after it is rejected, it then only calls the auth server and puts correct token and again sends the request to my resource server.

Is there any way to make rest template not use the token from the header and call the auth server for the token before connecting resource server? Thank u

My config class

@Configuration
@EnableOAuth2Client
public class OAuth2ClientConfig {

    @Autowired
    ConfigProperties configProperties;

    @Bean("oauth2AuthServer")
    public OAuth2RestOperations restTemplate(OAuth2ClientContext oauth2ClientContext) {
        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(resource(), oauth2ClientContext);
        oAuth2RestTemplate.setAccessTokenProvider(new CustomResourceOwnerPasswordAccessTokenProvider());
        return oAuth2RestTemplate;
    }

    @Bean
    protected OAuth2ProtectedResourceDetails resource() {
        ResourceOwnerPasswordResourceDetails resource = new ResourceOwnerPasswordResourceDetails();
        resource.setId(configProperties.getClientId());
        resource.setAccessTokenUri(configProperties.getAccessTokenUri());
        resource.setClientId(configProperties.getClientId());
        resource.setClientSecret(configProperties.getClientSecret());
        resource.setGrantType(configProperties.getGrantType());
        resource.setClientAuthenticationScheme(AuthenticationScheme.header);
        resource.setAuthenticationScheme(AuthenticationScheme.header); // 
        resource.setUsername(configProperties.getUsername());
        resource.setPassword(configProperties.getPassword());
        return resource;
    }

}

My serviceImpl method is

@Autowired
    @Qualifier("oauth2AuthServer")
    private OAuth2RestOperations oauth2RestOperations;

RequestResponse callResourceServer(ResourceRequest request) {
        try {
            RequestResponse response;
            HttpHeaders headers = new HttpHeaders();
            headers.setContentType(MediaType.APPLICATION_JSON); 
            HttpEntity<ReseourceRequest> entity = new HttpEntity<>(request, headers);
            response = this.oauth2RestOperations.postForObject(
                    microServiceConfig.getUrl(), 
                    entity, 
                   RequestResponse.class
            );
            return response;
        } catch (Exception ex) {
            log.error(ex);
            throw new exception("error");
        }
    }
Sudan Shrestha
  • 97
  • 1
  • 10

1 Answers1

0

I see BaseOAuth2ProtectedResourceDetails and Oauth2RestTemplate deprecated, Can we still use them ? or we should migrate to 5.x options

Sandeep Vedavyas
  • 11
  • 3
  • OAuth 2.0 Client features of Spring Security 5.x do not support RestTemplate, but only WebClient. WebClient offers an alternative to RestTemplate with efficient support for both sync and async, as well as streaming scenarios. The RestTemplate will be deprecated in a future version and will not have major new features added going forward. – Sudan Shrestha Oct 11 '20 at 07:27
  • agree, i see it from latest documentation, just wanted to confirm it i saw OAuth2ProtectedResourceDetails (deprecated) in above sample usage.Thanks for clarifying it. – Sandeep Vedavyas Oct 12 '20 at 08:05