OAuth2RestTemplate Bearer Token Type

2
votes

I'm using Spring Security OAuth2 with OAuth2RestTemplate to implement a client for an OAuth 2.0 secured REST API. The flow goes through the steps to obtain the access token successfully:

response.statusCode = 200
response.body = {"access_token":"9b90f8a84b939b8437a4fbaa8fff0052839cf6f5","expires_in":3600,"token_type":"bearer","scope":" read write","refresh_token":"e164f317a1708c3664025e9e56ce605cfe710474”}

However, when the code tries to use OAuth2RestTemplate to access the protected resource, the response is unsuccessful:

GET request for "https://redacted.com/api/v1/clients" resulted in 400 (Bad Request)

This is because DefaultOAuth2RequestAuthenticator uses the token_type value ("bearer") returned with the access_token to form the Authentication header for the request to the protected resource:

request.getHeaders().set("Authorization", String.format("%s %s", tokenType, accessToken.getValue()));

This results in the credentials field in the request Authorization header being prefixed with the string "bearer":

Request Header: "Authorization" "bearer a8f18cb3173c4cbbea44f4495dd5e5662156c391"

However, according to the OAuth 2.0 Bearer Token Usage spec section 2.1 Authorization Request Header field, the format of the credentials field is:

credentials = "Bearer" 1*SP b64token

Note that in the spec, "Bearer" is upper-case. This means that the request header should be:

Request Header: "Authorization" "Bearer a8f18cb3173c4cbbea44f4495dd5e5662156c391"

Apparently, the provider we're sending the request to implements the spec narrowly because the capitalization issue ("bearer" vs. "Bearer") is what's causing the request to the protected resource to fail. When I change DefaultOAuth2RequestAuthenticator to coerce the prefix to title case, the request succeeds:

if ("bearer".equals(tokenType)) {
    tokenType = "Bearer";
}

Header key = Authorization values = Bearer 8efd4381f3470660291e700e4927012f288ad66c,
Sending GET request to https://redacted.com/api/v1/clients
Received "200 OK" response for GET request to https://redacted.com/api/v1/clients: [[{"id":"999999999","client_user_id":"a1b2c3d4e5f6"...

I don't really want to have my own fork of Spring Security OAuth2 to fix this issue. How is this working for anyone? Am I missing something?

2
springspring-securityoauthoauth-2.0

2 Answers

3
votes

I solved this problem by these codes 

    @Bean
public OAuth2RestOperations restTemplate(){

    AccessTokenRequest accessTokenRequest = new DefaultAccessTokenRequest();
    OAuth2ClientContext oAuth2ClientContext = new DefaultOAuth2ClientContext(accessTokenRequest);
    OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate( resource(),oAuth2ClientContext );
    oAuth2RestTemplate.setAuthenticator(new DefaultOAuth2RequestAuthenticator(){
        @Override
        public void authenticate(OAuth2ProtectedResourceDetails resource, OAuth2ClientContext clientContext, ClientHttpRequest request) {
            clientContext.setAccessToken(new DefaultOAuth2AccessToken(clientContext.getAccessToken()){
                @Override
                public String getTokenType() {
                    if ("bearer".equals(super.getTokenType())) {
                        return "Bearer";
                    }
                    return super.getTokenType();
                }
            });
            OAuth2AccessToken accessToken = clientContext.getAccessToken();
            super.authenticate(resource, clientContext, request);
        }
    });
0
votes

As it turns out, it actually isn't working for a lot of people. There is an open issue in the spring-security-oauth issues list to address this (current milestone is 2.2.1):

Use OAuth2 token_type equal "Bearer" by default everywhere #457

The title may be a little misleading, but the comments outline this very issue and suggest work-arounds, which are all variants of overriding one of the OAuth2 token-handling classes to do what my fix to DefaultOAuth2RequestAuthenticator does.