Geek Answers Handbook

Spring OAuth2 - No client authentication. Try adding the appropriate authentication filter.

We have an application that uses spring-security-oauth2:1.0 . I tried to change it to a newer version, spring-security-oauth2:2.0.7.RELEASE . Some classes were deleted, some package structure changed, I was able to figure out all these things, and I was able to start the server without any problems. But here I come across a strange problem.

In OAuth2 - 1.0 version , when a user logs in, we used a GET request to /oauth/token , for example:

HTTP: // local: 8080 / echo / OAuth / token grant_type = password and client_id = WS & client_secret = secret and scope = read, write and username = john @ abc.com and password = password123

And before, it worked just fine.

When I try to do the same, firstly, I cannot make a GET request due to the logic in TokenEndPoint.java

 private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST)); @RequestMapping(value = "/oauth/token", method=RequestMethod.GET) public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException { if (!allowedRequestMethods.contains(HttpMethod.GET)) { throw new HttpRequestMethodNotSupportedException("GET"); } return postAccessToken(principal, parameters); }

I tried to make a POST request the same as the URL above, but I get an InsufficientAuthenticationException with an error message

No client authentication. Try adding the appropriate authentication filter.

This is because of the following POST request controller in TokenEndpoint.java . When I debug, I see that principal is null.

 @RequestMapping(value = "/oauth/token", method=RequestMethod.POST) public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException { //principal is null here if (!(principal instanceof Authentication)) { throw new InsufficientAuthenticationException( "There is no client authentication. Try adding an appropriate authentication filter."); } ............. }

I have an authentication filter and it worked well when I used version 1.0 . These are the corresponding ancestors of my config:

  <authentication-manager xmlns="http://www.springframework.org/schema/security"> <authentication-provider user-service-ref="userDetailsService"/> </authentication-manager> <bean id="userDetailsService" class="com.hcl.nc.service.UserDetailsService"> <constructor-arg><ref bean="sessionFactory" /></constructor-arg> </bean>

I always thought that the request will be authenticated by authentication-provider and sent to token-endpoint but this does not seem to be the correct thread. After debugging the application with version 2.0.7 now I really doubt my understanding of the flow.

Can someone explain why it worked in the previous version and why it does not work now?

Do I have to do something else to get an OAuth token?

NOTE : I have already checked these questions: here , here , here . But I could not find the right solution.

+11
spring-security spring-security-oauth2 access-token
source share
4 answers

I do not know the previous version, but I know a little about 2.0.7.

I suspect your problem is that your TokenEndpoint protection is trying to authenticate your clients against your user service.

TokenEndpoint is protected by BasicAuthenticationFilter . By default, this filter will use an AuthenticationManager instance, which itself contains an AuthenticationProvider , which itself depends on the UserDetailsService instance. The trick is that this particular instance of UserDetailsService should be the client , not the user : why is there a ClientDetailsUserDetailsService that adapts the ClientDetailsService to the UserDetailsService .

Usually all this is done by default when you use the frame configuration classes AuthorizationServerConfigurerAdapter , @EnableAuthorizationServer , etc.

+5
source share

I had the same problem and my application.yml had the following line:

 servlet: path: /auth

so the token address was: /auth/oauth/token

I remove the path from application.yml so that the token path becomes:

/oauth/token

And everything works fine.

Hope this helps

+1
source share

in my case, I found this configuration:

security.allowFormAuthenticationForClients (); // here

then publish this http: // localhost: 8081 / sso / oauth / token? client_id = unity-client & client_secret = unity & grant_type = authorization_code & code = Yk4Sum & redirect_uri = http: // localhost: 8082 / sso-demo / passport / login

its work for me try

 @Configuration @EnableAuthorizationServer public class Oauth2Config extends AuthorizationServerConfigurerAdapter { private static final Logger log = LoggerFactory.getLogger(Oauth2Config.class); @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security.allowFormAuthenticationForClients(); // here } @Override public void configure(final ClientDetailsServiceConfigurer clients) throws Exception { // @formatter:off clients.inMemory() .withClient("unity-client") .secret("unity") .authorizedGrantTypes("authorization_code", "password", "client_credentials", "implicit", "refresh_token") .scopes("foo", "read", "write") .accessTokenValiditySeconds(3600) // 1 hour .refreshTokenValiditySeconds(2592000) // 30 days ; } // @formatter:on @Override public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception { } }
0
source share

One of the problems with the following error may be that the authentication failed. I ran into this problem in an older Spring implementation.

confirm this:

TokenEndpoint -> postAccessToken method. Check if the Principal is not null. If it is null, this means that basic authentication has not been performed.

One solution to add a filter was to use:

 @Configuration public class FilterChainInitializer extends AbstractSecurityWebApplicationInitializer { }

More information on AbstractSecurityWebApplicationInitializer can be found in the Spring docs.

0
source share

More articles:


All Articles