Geek Answers Handbook

Spring Security OAuth2 | InsufficientAuthenticationException

I am trying to create an OAuth2 authorization server using Spring Security OAuth2 (2.0.6.RELEASE).

Here is what my respective configuration looks like: -

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationConfig extends
        AuthorizationServerConfigurerAdapter {

@Autowired
private AuthenticationManager authenticationManager;

/*
 * (non-Javadoc)
 * 
 * @see
 * org.springframework.security.oauth2.config.annotation.web.configuration
 * .AuthorizationServerConfigurerAdapter
 * #configure(org.springframework.security
 * .oauth2.config.annotation.web.configurers
 * .AuthorizationServerEndpointsConfigurer)
 */
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
        throws Exception {
    endpoints.authenticationManager(authenticationManager);
}

/*
 * (non-Javadoc)
 * 
 * @see
 * org.springframework.security.oauth2.config.annotation.web.configuration
 * .AuthorizationServerConfigurerAdapter
 * #configure(org.springframework.security
 * .oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer)
 */
@Override
public void configure(ClientDetailsServiceConfigurer clients)
        throws Exception {

    // OAuth2 CLIENT CONFIGURATION !!!!!
    clients.inMemory().withClient("sambhav").secret("sambhav")
            .authorizedGrantTypes("authorization_code")
            .scopes("openid", "all").redirectUris("http:localhost:9001");
}

/*
 * (non-Javadoc)
 * 
 * @see
 * org.springframework.security.oauth2.config.annotation.web.configuration
 * .AuthorizationServerConfigurerAdapter
 * #configure(org.springframework.security
 * .oauth2.config.annotation.web.configurers
 * .AuthorizationServerSecurityConfigurer)
 */
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
        throws Exception {
    super.configure(security);
}

}

Using Spring Download the built-in pier, during startup I see that OAuth2 endopits are indeed logged in my logs.

When I try to hit (using Postman) / oauth / authorize POST endpont with client_id = sambhav, response_type = code, redirect_uri = http: // localhost: 9001, scope = all , I get 500 errors in response with the following error: -

{"timestamp":1423055109697,"status":500,"error":"Internal Server Error","exception":"org.springframework.security.authentication.InsufficientAuthenticationException","message":"User must be authenticated with Spring Security before authorization can be completed.","path":"/oauth/authorize"}

Looking at the logs, I see that there is an authentication org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpointmethod in the class authorize: -

@RequestMapping(value = "/oauth/authorize")
    public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<String, String> parameters,
            SessionStatus sessionStatus, Principal principal) {

        // Pull out the authorization request first, using the OAuth2RequestFactory. All further logic should
        // query off of the authorization request instead of referring back to the parameters map. The contents of the
        // parameters map will be stored without change in the AuthorizationRequest object once it is created.
        AuthorizationRequest authorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(parameters);

        Set<String> responseTypes = authorizationRequest.getResponseTypes();

        if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
            throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
        }

        if (authorizationRequest.getClientId() == null) {
            throw new InvalidClientException("A client id must be provided");
        }

        try {
             // THIS check causes the problem
            if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
                throw new InsufficientAuthenticationException(
                        "User must be authenticated with Spring Security before authorization can be completed.");
            }

PROBLEM

Why is authentication required already installed for step authorization?

( )? ? client_id/client_secret?

+4
1

authorization_code , ( ).

, , , Spring , (sambhav) .

+3

More articles:


All Articles