Spring-Security-Oauth2: Full authentication is req

2019-01-17 03:46发布

站内问答 / Java
1191 6 4

I am trying to use spring-security-oauth2.0 with Java based configuration. My configuration is done, but when i deploy application on tomcat and hit the /oauth/token url for access token, Oauth generate the follwoing error: 

<oauth>
<error_description>Full authentication is required to access this resource</error_description>
<error>unauthorized</error>
</oauth>

My configuration is on Git hub, please click on link

The code is large, so refer to git. I am using chrome postman client for send request. follwing is my request. 

POST /dummy-project-web/oauth/token HTTP/1.1
Host: localhost:8081
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=abc%40gmail.com&client_secret=12345678

The error is just like, the URL is secure by Oauth, but in configuration, i give the all permission for access this URL. What actual this problem is?

6条回答
不美不萌又怎样
2楼-- · 2019-01-17 04:21

You should pre authenticate the token apis "/oauth/token"

extend ResourceServerConfigurerAdapter and override configure function to do this.

eg:

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/oauth/token").permitAll().
anyRequest().authenticated();
查看更多
0人赞 添加讨论(0) 举报
虎瘦雄心在
3楼-- · 2019-01-17 04:27

The reason is that by default the /oauth/token endpoint is protected through Basic Access Authentication.

All you need to do is add the Authorization header to your request.

You can easily test it with a tool like curl by issuing the following command:

curl.exe --user abc@gmail.com:12345678 http://localhost:8081/dummy-project-web/oauth/token?grant_type=client_credentials

查看更多
0人赞 添加讨论(0) 举报
再贱就再见
4楼-- · 2019-01-17 04:28

setting management.security.enabled=false in application.properties resolved the issue for me.

查看更多
0人赞 添加讨论(0) 举报
够拽才男人
5楼-- · 2019-01-17 04:30

The client_id and client_secret, by default, should go in the Authorization header, not the form-urlencoded body.

  1. Concatenate your client_id and client_secret, with a colon between them: abc@gmail.com:12345678.
  2. Base 64 encode the result: YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
  3. Set the Authorization header: Authorization: Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
查看更多
0人赞 添加讨论(0) 举报
Rolldiameter
6楼-- · 2019-01-17 04:33

With Spring OAuth 2.0.7-RELEASE the following command works for me

curl -v -u abc@gmail.com:12345678 -d "grant_type=client_credentials" http://localhost:9999/uaa/oauth/token

It works with Chrome POSTMAN too, just make sure you client and secret in "Basic Auth" tab, set method to "POST" and add grant type in "form data" tab.

查看更多
0人赞 添加讨论(0) 举报
乱世女痞
7楼-- · 2019-01-17 04:36

By default Spring OAuth requires basic HTTP authentication. If you want to switch it off with Java based configuration, you have to allow form authentication for clients like this:

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
  @Override
  public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.allowFormAuthenticationForClients();
  }
}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)