9
votes

I'm trying to use a refresh token in a Spring OAuth application without success. The system will issue a refresh token on a password grant:

  {
  "access_token": "xxxxx",
  "token_type": "bearer",
  "refresh_token": "xxxxxx",
  "expires_in": 21599,
  "scope": "read write"
}

But trying to use the refresh token results in the following error:

curl -u acme -d "grant_type=refresh_token&refresh_token=xxxxxx" http://localhost:9999/uaa/oauth/token

{
  "error": "invalid_token",
  "error_description": "Cannot convert access token to JSON"
}

My auth server config is as follows:

@Controller
@SessionAttributes("authorizationRequest")
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableResourceServer
@ImportResource("classpath:/spring/application-context.xml")
@Configuration
public class ApplicationConfiguration extends WebMvcConfigurerAdapter {

    @RequestMapping("/user")
    @ResponseBody
    public Principal user(Principal user) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        System.out.println(auth.toString());
        return user;
    }

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/login").setViewName("login");
        registry.addViewController("/oauth/confirm_access").setViewName("authorize");
    }

    @Configuration
    @Order(-20)
    protected static class LoginConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.csrf().disable();

            // @formatter:off
            http
                .formLogin().loginPage("/login").permitAll()
            .and()
                .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
            .and()
                .authorizeRequests().anyRequest().authenticated();
            // @formatter:on

        }

        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }
    }

    @Configuration
    public static class JwtConfiguration {

        @Bean
        public JwtAccessTokenConverter jwtAccessTokenConverter() {
            JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
            KeyPair keyPair = new KeyStoreKeyFactory(new ClassPathResource("keystore.jks"), "foobar".toCharArray())
                    .getKeyPair("test");
            converter.setKeyPair(keyPair);
            return converter;
        }

        @Bean
        public JwtTokenStore jwtTokenStore() {
            return new JwtTokenStore(jwtAccessTokenConverter());
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter implements
            EnvironmentAware {

        private static final String ENV_OAUTH = "authentication.oauth.";
        private static final String PROP_CLIENTID = "clientid";
        private static final String PROP_SECRET = "secret";
        private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds";

        private RelaxedPropertyResolver propertyResolver;

        @Autowired
        private AuthenticationManager authenticationManager;

        @Autowired
        private JwtAccessTokenConverter jwtAccessTokenConverter;

        @Autowired
        private JwtTokenStore jwtTokenStore;

        @Autowired
        @Qualifier("myUserDetailsService")
        private UserDetailsService userDetailsService;

        @Autowired
        private DataSource dataSource;

        @Override
        public void setEnvironment(Environment environment) {
            this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_OAUTH);
        }

        @Bean
        public TokenEnhancer tokenEnhancer() {
            return new CustomTokenEnhancer();
        }

        @Bean
        @Primary
        public DefaultTokenServices tokenServices() {
            DefaultTokenServices tokenServices = new DefaultTokenServices();
            tokenServices.setSupportRefreshToken(true);
            tokenServices.setTokenStore(jwtTokenStore);
            tokenServices.setAuthenticationManager(authenticationManager);
            tokenServices.setTokenEnhancer(tokenEnhancer());
            return tokenServices;
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
            // The order is important here - the custom enhancer must come before the jwtAccessTokenConverter.
            tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter));
            endpoints
                    .authenticationManager(authenticationManager)
                    .tokenEnhancer(tokenEnhancerChain)
                    .tokenStore(jwtTokenStore)
                    .userDetailsService(userDetailsService);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer)
                throws Exception {
            oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.jdbc(dataSource);
                    /*.withClient(propertyResolver.getProperty(PROP_CLIENTID))
                    .scopes("read", "write")
                    .autoApprove(true)
                    .authorities(ClientAuthoritiesConstants.CLIENT)
                    .authorizedGrantTypes("authorization_code", "refresh_token", "password")
                    .secret(propertyResolver.getProperty(PROP_SECRET))
                    .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer
                    .class, 1800));*/
        }
    }

    /**
     * Configures the global LDAP authentication
     */
    @Configuration
    protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter implements EnvironmentAware {

        private static final String ENV_LDAP = "authentication.ldap.";
        private static final String PROP_SEARCH_BASE = "userSearchBase";
        private static final String PROP_SEARCH_FILTER = "userSearchFilter";
        private static final String PROP_GROUP_SEARCH_FILTER = "groupSearchFilter";
        private static final String PROP_LDAP_URL = "url";
        private static final String PROP_LDAP_USER = "userDn";
        private static final String PROP_LDAP_PASS = "password";

        private RelaxedPropertyResolver propertyResolver;

        /**
         * Maps the LDAP user to the Principle that we'll be using in the app
         */
        public UserDetailsContextMapper userDetailsContextMapper() {
            return new UserDetailsContextMapper() {
                @Override
                public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
                                                      Collection<? extends GrantedAuthority> authorities) {
                    // Get the common name of the user
                    String commonName = ctx.getStringAttribute("cn");
                    // Get the users email address
                    String email = ctx.getStringAttribute("mail");
                    // Get the domino user UNID
                    String uId = ctx.getStringAttribute("uid");
                    return new CustomUserDetails(email, "", commonName, authorities);
                }

                @Override
                public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
                    throw new IllegalStateException("Only retrieving data from LDAP is currently supported");
                }

            };
        }

        @Override
        public void setEnvironment(Environment environment) {
            this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_LDAP);
        }

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth
                    .ldapAuthentication()
                    .userSearchBase(propertyResolver.getProperty(PROP_SEARCH_BASE))
                    .groupSearchBase(propertyResolver.getProperty(PROP_SEARCH_BASE))
                    .userSearchFilter(propertyResolver.getProperty(PROP_SEARCH_FILTER))
                    .groupSearchFilter(propertyResolver.getProperty(PROP_GROUP_SEARCH_FILTER))
                    .userDetailsContextMapper(userDetailsContextMapper())
                    .contextSource()
                    .url(propertyResolver.getProperty(PROP_LDAP_URL))
                    .managerDn(propertyResolver.getProperty(PROP_LDAP_USER))
                    .managerPassword(propertyResolver.getProperty(PROP_LDAP_PASS));
        }
    }
}

Anyone have any ideas why the auth server isn't issuing a new token when given a valid refresh token?

5

5 Answers

11
votes

had this issue. i was sending the "Bearer xxxxxx..." and the TokenEnhancer was expecting just "xxxxx..." without the "Bearer " prefix

4
votes

I had the same issue. After some debugging it turned out my signature did not match.

In my case i set-up keys a bit differently, and there is a bug where the signing and verifying key miss-match.

https://github.com/spring-projects/spring-security-oauth/issues/1144

1
votes

Also has same issue with Spring Boot 1.5.4

It is really actual that jwtAccessTokenConverter.setVerifierKey(publicKey);doesn't really set verifier(in debug value is null) that is used in -

JwtAccessTokenConverter
...protected Map<String, Object> decode(String token) {
        try {
            Jwt jwt = JwtHelper.decodeAndVerify(token, verifier);

as workaround helped:

private JwtAccessTokenConverter jwtAccessTokenConverter() {
        JwtAccessTokenConverter jwtAccessTokenConverter = new CustomTokenEnhancer();
        jwtAccessTokenConverter.setSigningKey(jwtSigningKey);
        jwtAccessTokenConverter.setVerifier(new RsaVerifier(jwtPublicKey));
        log.info("Set JWT signing key to: {}", jwtAccessTokenConverter.getKey());

        return jwtAccessTokenConverter;
    }
1
votes

It is been two years I don't if it helps anyone but my same issue was due to I was not using the tokenEnhancer I used in my JwtTokenStore in my token service provider DefaultTokenServices.

<!-- Access token converter -->
<bean id="jwtAccessTokenConverter"
      class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter">
    <property name="signingKey" value="${security.jwt.signing-key}"/>
</bean>

<!-- Token store -->
<bean id="jwtTokenStore"
      class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore">
    <constructor-arg name="jwtTokenEnhancer" ref="jwtAccessTokenConverter"/>
</bean>

<!-- Creates token store services provider -->
<bean id="tokenServiceProvider"
      class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore"
              ref="jwtTokenStore"/>
    <!--This must be set according to z docs -->
    <property name="tokenEnhancer"
              ref="jwtAccessTokenConverter"/>
    <property name="supportRefreshToken"
              value="true"/>
    <property name="accessTokenValiditySeconds"
              value="${security.jwt.access-token-validity-seconds}"/>
    <property name="refreshTokenValiditySeconds"
              value="${security.jwt.refresh-token-validity-seconds}"/>
</bean>
-1
votes

So it looks like the issue was an invalid refresh_token format. Due to my config, what the auth server was expecting was a valid JWT, whereas I was sending it a plain bearer token. Hence the error message 'cannot convert token to JSON'.

Incidentally, I found this document useful in understanding how all the parts of Spring OAuth fit together, which led me to figuring out what was going on here:

https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md