Problem
- 401 Unauthorized when calling an endpoint secured by Spring
Tech Stack
- Spring Boot 3
- Google API
- Postman
Goal I'm building a Spring Boot 3 service that will access Google's Gmail and Calendar services. I will be using Google OAuth2 as the Authorization Server and the Spring Boot app as the Resource Server. I've followed this guide to allow Google login and secure my endpoint: https://docs.spring.io/spring-security/reference/reactive/oauth2/resource-server/jwt.html
Here's my security configuration:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(e -> e.disable())
.httpBasic(e -> e.disable())
.formLogin(e -> e.disable())
.authorizeHttpRequests(authz -> authz
.requestMatchers("/**")
.fullyAuthenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
;
return http.build();
}
}
Here's my Spring configuration file:
spring:
security:
oauth2:
# client:
# registration:
# google:
# client-id: xxx
# client-secret: xxx
# scope:
# - openid
# - profile
# - email
resourceserver:
jwt:
# https://accounts.google.com/.well-known/openid-configuration
issuer-uri: https://accounts.google.com
jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs
# opaque-token:
# introspection-uri: https://oauth2.googleapis.com/tokeninfo
# client-id: xxx
# client-secret: xxx
I'm using Postman for testing and have generated the access token like this:
But when I call the endpoint, I get a 401 unauthorized exception.
In Postman, when I change the token type to idToken, it works:
Is there a way for the JWT token to work?
Searching SO, I found:
I tried the Opaque token approach as well, but I still have the same 401 Unauthorized error.
Here's the GitHub repo https://github.com/czetsuya/spring-google-signon.
Any idea how to proceed from here?
