Spring-Security-Oauth2: Full authentication is required to access this resource
Solution 1
The client_id
and client_secret
, by default, should go in the Authorization header, not the form-urlencoded body.
- Concatenate your
client_id
andclient_secret
, with a colon between them:[email protected]:12345678
. - Base 64 encode the result:
YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
- Set the Authorization header:
Authorization: Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
Solution 2
By default Spring OAuth requires basic HTTP authentication. If you want to switch it off with Java based configuration, you have to allow form authentication for clients like this:
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
}
Solution 3
The reason is that by default the /oauth/token
endpoint is protected through Basic Access Authentication.
All you need to do is add the Authorization
header to your request.
You can easily test it with a tool like curl
by issuing the following command:
curl.exe --user [email protected]:12345678 http://localhost:8081/dummy-project-web/oauth/token?grant_type=client_credentials
Solution 4
With Spring OAuth 2.0.7-RELEASE the following command works for me
curl -v -u [email protected]:12345678 -d "grant_type=client_credentials" http://localhost:9999/uaa/oauth/token
It works with Chrome POSTMAN too, just make sure you client and secret in "Basic Auth" tab, set method to "POST" and add grant type in "form data" tab.
Solution 5
You should pre authenticate the token apis "/oauth/token"
extend ResourceServerConfigurerAdapter
and override configure function
to do this.
eg:
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/oauth/token").permitAll().
anyRequest().authenticated();
Related videos on Youtube
Harmeet Singh Taara
Harmeet starts his career from Java EE development and building applications using Java frameworks. He is the die-hard fan of technology and exploring new approach, frameworks, methodology and more. With some industrial experience, he gains some knowledge about Scala and reactive applications and loves Lightbend technology stack. That's why he joins Knoldus. In knoldus start building application using Java 8 and Scala and other Lightbend technologies like Akka, Play, Lagom and more.
Updated on July 09, 2022Comments
-
Harmeet Singh Taara almost 2 years
I am trying to use
spring-security-oauth2.0
with Java based configuration. My configuration is done, but when i deploy application on tomcat and hit the/oauth/token
url for access token,Oauth
generate the follwoing error:<oauth> <error_description>Full authentication is required to access this resource</error_description> <error>unauthorized</error> </oauth>
My configuration is on Git hub, please click on link
The code is large, so refer to git. I am using chrome postman client for send request. follwing is my request.
POST /dummy-project-web/oauth/token HTTP/1.1 Host: localhost:8081 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=abc%40gmail.com&client_secret=12345678
The error is just like, the URL is secure by
Oauth
, but in configuration, i give the all permission for access this URL. What actual this problem is?-
Dejazmach over 4 yearsThe error is a spring framework error. Check my answer here.
-
-
Harmeet Singh Taara over 9 yearsi think, this is used with
grant_type=password
forclient_credentials
there is no need for this. if i am wrong, please correct me. -
Harmeet Singh Taara over 9 yearswhen i try this, the exception will throw
error="invalid_token", error_description="Invalid access token: [email protected]"
. I thin, for access this resource, it required auth token, but why ? -
GaryF over 9 yearsNo, grant_type=password is where the resource owner's user/pass (i.e. the end user) are going to be provided directly to the client. client_credentials is used when you are not authenticating the resource owner at all; just the client itself. That's what your question indicates. Use client_credentials with the scheme I indicate in my answer iff you genuinely do want to just authenticate the client, not the user.
-
Harmeet Singh Taara over 9 yearsThanks @GaryF for your solution, but still this not work, the above error is still generated
error="invalid_token", error_description="Invalid access token: [email protected]"
, what is that problem ? -
Harmeet Singh Taara over 9 yearsi am using
BcryptPasswordEncoder
if i remove this, now the error is changeThe resource identified by this request is only capable of generating responses with characteristics not acceptable according to the request "accept" headers.
i think this is generate , when response is wrong? -
Harmeet Singh Taara over 9 yearsThanks @GaryF now its working, i think the problem with
BcryptPasswordEncoder
. -
Harmeet Singh Taara over 9 yearsagain thanks for you help, but still i have confusion. When i send Authorization Basic with 64 encoding in header, i will access the token, but after token detail recive, when i access the URL there is not need to send the token in header, just again send the basic authorization. Why this problem occur ?
-
Dejell about 9 yearsI tried your answer, but then I get a popup to insert username and password. I try with my login and it doesn't help
-
Admin about 6 yearscan you please help me on this ques stackoverflow.com/questions/48806722/…
-
Admin about 6 yearscan you please help me on this question @maniekq can you please help me on this ques stackoverflow.com/questions/48806722/…