what are the java* configuration for oauth2 to return token after authentication

0
votes

Hi I am using spring boot for my project so I am not using xml for any of my configurations, only java. I am using this project on github as a reference https://github.com/techdev-solutions/jaxenter-showcase .

When I make a request(http://localhost:8081/oauth/authorize?client_id=web&response_type=token with username and password in header) for the token it returns the redirect html site not the token.. How do I configure oauth2 to return the token in the response.

If I send a request using curl it gives me exactly what I want: curl curl:password@localhost:8081/oauth/token\?grant_type=client_credentials

if I try to mimic the same request via a http client http://localhost:8081/oauth/token?client_secret=password&client_id=curl&grant_type=client_credentials

I get 401 unauthorized

Here is my java config:

package de.techdev.jaxenter;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;

import javax.sql.DataSource;

/**
 * @author Moritz Schulze
 */
@Configuration
@EnableAuthorizationServer
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore());
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
        .withClient("curl") //curl curl:password@localhost:8081/oauth/token\?grant_type=client_credentials
        .authorities("ROLE_ADMIN")
        .resourceIds("jaxenter")
        .scopes("read", "write")
        .authorizedGrantTypes("client_credentials")
        .secret("password")
        .and()
        .withClient("web") //http://localhost:8081/oauth/authorize?client_id=web&response_type=token
        .redirectUris("http://github.com/techdev-solutions/")
        .authorities("ROLE_ADMIN")
        .resourceIds("jaxenter")
        .scopes("read, write")
        //.authorizedGrantTypes("implicit")
        .authorizedGrantTypes("implicit","client_credentials")
        .autoApprove(true)
        .secret("password")
        .and()
        .withClient("my-trusted-client")
            .authorizedGrantTypes("password","authorization_code","refresh_token","implicit","redirect")
            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
            .scopes("read", "write", "trust")
            .redirectUris("http://localhost:8080")
            .authorizedGrantTypes("implicit")
            .accessTokenValiditySeconds(60)
            .refreshTokenValiditySeconds(30);
    }
}

package de.techdev.jaxenter;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author Moritz Schulze
 */
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("John").roles("ADMIN").password("password")
            .and()
            .withUser("Mary").roles("BASIC").password("password");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").authenticated()
            .and().httpBasic().realmName("OAuth Server");
    }
}

also discovered a post with similar issue that is unresolved Spring Security OAUTH2 getting token with username/password

1
securityjakarta-eespring-securityoauth-2.0spring-boot

1 Answers

0
votes

first of all you always have to provide grant type

http://username:[email protected] format is pretty much no more supproted , https://code.google.com/p/chromium/issues/detail?id=82250#c7 so your problem is probably with passing credentials to the authorizng server, it is the browser issue not the configuration of the Oauth and I am not really sure why you would want to acces /oauth/token directly in web browser, if you are loging with spring application you have bunch of Oauth restTemplates and they work fine with this scenario, oauth is not just any basic login feature it allows one server to establish connection with some other server with the use of token and use its resources, if you want to log into that server directly with web browser you should provide the way to do so

for example if you already acquire token with your curl and try to acces the resource you can try to pass it in web browser beacuse you do not need authentication anymore just add Bearer e2cb0291-596c-48e0-8e93-2b29b2881406(sample token )as header and it will work this time