Spring Security OAuth2 check_token endpoint

20
votes

I'm trying to setup a resource server to work with separate authorization server using spring security oauth. I'm using RemoteTokenServices which requires /check_token endpoint.

I could see that /oauth/check_token endpoint is enabled by default when @EnableAuthorizationServer is used. However the endpoint is not accessible by default.

Should the following entry be added manually to whitelist this endpoint?

http.authorizeRequests().antMatchers("/oauth/check_token").permitAll();

This will make this endpoint accessible to all, is this the desired behavior? Or am I missing something.

Thanks in advance,

4
springspring-securityoauth-2.0spring-security-oauth2

4 Answers

20
votes

You have to 

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
{
   oauthServer.checkTokenAccess("permitAll()");    
}

For more information on this ::

How to use RemoteTokenService?

9
votes

Just to clarify a couple of points, and to add some more information to the answer provided by Pratik Shah (and by Alex in the related thread):

1- The configure method mentioned is overridden by creating a class that extends AuthorizationServerConfigurerAdapter:

    @EnableAuthorizationServer
    @Configuration
    public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()");
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws     Exception {
            clients
                    .inMemory()
                    .withClient("ger-client-id")
                    .secret("ger-secret")
                    .authorizedGrantTypes("password")
                    .scopes("read", "write");
        }
    }

2- I suggest reading this Spring guide explaining the automatic configuration carried out by Spring Boot when we include the @EnableAuthorizationServer annotation, including an AuthorizationServerConfigurer bean. If you create a configuration bean extending the AuthorizationServerConfigurerAdapter as I did above, then that whole automatic configuration is disabled.

3- If the automatic configuration suits you just well, and you JUST want to manipulate the access to the /oauth/check_token endpoint, you can still do so without creating an AuthorizationServerConfigurer bean (and therefore without having to configure everything programmatically).

You'll have to add the security.oauth2.authorization.check-token-access property to the application.properties file, for example:

security.oauth2.client.client-id=ger-client-id
security.oauth2.client.client-secret=ger-secret
security.oauth2.client.scope=read,write

security.oauth2.authorization.check-token-access=permitAll()

Of course, you can give it an isAuthenticated() value if you prefer.

You can set the log level to DEBUG to check that everything is being configured as expected:

16:16:42.763 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/check_token']

There is no much documentation about these properties, but you can figure them out from this autoconfiguration class.

One last thing worth mentioning, even though it seems to be fixed in latest Spring versions, I just submitted an issue in the spring-security-oauth project; it seems that the token_check functionality is enabled by default if you add a trailing slash to the request:

$ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58
{"scope":["read","write"],"active":true,"exp":1544940147,"authorities":["ROLE_USER"],"client_id":"ger-client-id"}
2
votes

There are three POST parameters, namely client_id (user name), client_secret (password corresponding to the user name), token (token applied for), client_id, client_secret are different from the parameters in the /oauth/token interface

enter image description here

1
votes

First, config token access expression:

@Override
public void configure(AuthorizationServerSecurityConfigurer securityConfigurer) throws Exception {
    securityConfigurer
            .allowFormAuthenticationForClients()
            .checkTokenAccess("isAuthenticated()")
            .addTokenEndpointAuthenticationFilter(checkTokenEndpointFilter());
}

Then, we need define a filter to process client authentication:

@Bean
public ClientCredentialsTokenEndpointFilter checkTokenEndpointFilter() {
    ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter("/oauth/check_token");
    filter.setAuthenticationManager(authenticationManager);
    filter.setAllowOnlyPost(true);
    return filter;
}