Spring OAuth 2 Call /oauth/token Resulted in 401 (Unauthorized)

10,760

There were two issues with my configuration above.

  1. I noticed my client used wrong secret to communicate with authorization server.
  2. Token endpoint at authorization server use authentication manager which serve user authentication. It result client are rejected all times until I create new security realm for token endpoint and configure it to use a authentication manger designed for client.

Note client is different from user. Client is third party want to access resource belong to your user (also called resource owner).

Share:
10,760
John
Author by

John

Updated on June 30, 2022

Comments

  • John
    John over 1 year

    Greeting everyone, I try to configure simple authorization code flow via Spring Security OAuth.

    I tested my authorisation and resource server configuration via following approaches:

    1. Create a web application as client and use its page to fire http post call to /oauth/authorize.
    2. After getting code, I use the same page to fire another http post with code and get token.
    3. At the end, I use curl -H to place token inside header and get response from protected resource.

    But when I try to use rest template. It throw error message 401 Unauthorised error.

    Server side - security configure:

    <http auto-config="true" pattern="/protected/**"
        authentication-manager-ref="authenticationManager">
        <custom-filter ref="resourceFilter" before="PRE_AUTH_FILTER" />
        <csrf disabled="true" />
    </http>
    
    <http auto-config="true">
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <form-login default-target-url="/admin.html" />
        <logout logout-success-url="/welcome.html" logout-url="/logout"/>
        <csrf disabled="true" />
    </http>
    
    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="admin" password="123456" authorities="ROLE_USER,ROLE_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
    

    Server side - authorisation and resource configure:

    <oauth:authorization-server
        client-details-service-ref="clientDetails" error-page="error">
        <oauth:authorization-code />
    </oauth:authorization-server>
    
    <oauth:client-details-service id="clientDetails">
        <oauth:client client-id="admin" secret="fooSecret" />
    </oauth:client-details-service>
    
    <oauth:resource-server id="resourceFilter" />
    

    Client Side:

    <oauth:client id="oauth2ClientContextFilter" />
    <oauth:resource id="sso" client-id="admin"
        access-token-uri="http://localhost:8080/tough/oauth/token"
        user-authorization-uri="http://localhost:8080/tough/oauth/authorize"
        use-current-uri="true" client-secret="secret"
        client-authentication-scheme="header" type="authorization_code"
        scope="trust" />
    <oauth:rest-template id="template" resource="sso"/>
    

    If anyone knows where goes wrong, please do let me know.