Questions tagged [spring-security-oauth2]

1

votes
1

answer
435

Views

Does Spring Security OAuth2 support Authorization Code Flow with PKCE for browser (Angular) clients?

Browser applications auth used to be managed using the Implicit grant of the Authorization Server. I successfully implemented this using Spring Security Oauth. This approach has several drawbacks: Refresh tokens are not supported, so when the token expires we need to reauthenticate with the Authoriz...
codependent
1

votes
2

answer
6.1k

Views

How to make the refresh token life long valid and issue a new refresh token each time a new refresh_token grant_type comes in spring security oauth2

I am using spring security oauth2 for authentication for my android application clients.When the client request comes with grant_type as password the server issues the access token and refresh token.If the access token expires i can issue a new access token by sending a request with grant_type as re...
KJEjava48
-1

votes
0

answer
14

Views

Class file for org.springframework.transaction.annotation.Transactional not found - not using @Transactional

I'm following this guide and after adding the JWT Token Store config from Step 3: @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); } @Bean public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter()...
Ian
1

votes
0

answer
1.3k

Views

Getting 403 Forbidden when trying to get authorization code using the authorization code grant type

I have resource, authorization written using Spring boot and OAuth2. The resources are going to access by another web server application. So I thought of using the authorization code grant type but I also want to skip the approval screen. I sent the following url to the auth server to get the author...
user9225538
1

votes
0

answer
656

Views

Spring Security OAuth2 Could not obtain access token

I have a spring security oauth client which is authenticating against a custom auth0 provider. For getting the UserAuthorizationUri, i need to make a post request to a rest endpoint which is a wrapper on top of auth0. So i have extended OAuth2ClientContextFilter and used a custom redirect strategy.N...
Pradeep S
1

votes
0

answer
1.5k

Views

How to add client authentication filter for spring security oauth2?

I'm getting error at /oauth/token InsufficientAuthenticationException: There is no client authentication. Try adding an appropriate authentication filter I think @EnableAuthorizationServer is supposed to add the client authentication filter automatically. But I guess I may be wrong. I use authorizat...
eugene
1

votes
1

answer
455

Views

OAuth2RestTemplate “”Access token denied."

Trying to setup oauth2 authentication with 3rd party provider and it looks like for some reason it is not passing the client_id to the server. @Bean(name = 'oauth2RestTemplate') public OAuth2RestTemplate oauth2RestTemplate() { ArrayList
ramkris
1

votes
1

answer
383

Views

Return OAuth Access Token in header or POST

I have an Spring OAuth2 server set up and it's working fine when the clients authenticate. The issue is that when the client is the browser the access token is show on the redirect URL on the address bar and the browser remembers it. Is there a way for the Authentication server to send back the acc...
FourtyTwo
1

votes
0

answer
446

Views

Setting order of CORS filter in Spring application

I have developed RESTful application with Spring (I am not using Spring boot) and Spring security OAuth2 for endpoints security. To allow CORS request in web browsers, I have added a CORS filter in my AbstractAnnotationConfigDispatcherServletInitializer in onStartup method for my oauth endpoint like...
NimaAJ
1

votes
0

answer
474

Views

PreAuthorize not getting honored over ResourceServerConfigurerAdaptor

I have a Spring Resource Server with Spring Security enabled. In Resource Server, i am extending the ResourceServerConfigurerAdaptor, some like the following. @Configuration @EnableResourceServer public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Override public voi...
Munish Chandel
1

votes
0

answer
131

Views

Spring: OAuth2 scheduled request after gotten information once

I am trying to request an object via oauth2 authentification with spring security and then try to use those credentials in my service, which is supposed to request data in fixed intervals. The SleepController's purpose is to initially get data and as a side effect cache the important data for the se...
ByteBiter
1

votes
0

answer
352

Views

What is the purpose of the realm method in AuthorizationServerSecurityConfigurer?

Looking at the (practically non-existent) documentation for AuthorizationServerSecurityConfigurer I do not see any description for the realm method. What is it's purpose? https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/config/annotation/web/configurers/Auth...
zero01alpha
1

votes
1

answer
120

Views

Find all tokens issues for a specified user by username

How can I find all the tokens issued for a user to all clients by username? Currently, org.springframework.security.oauth2.provider.token.TokenStore provides only one API method that allows token search by username, which is findTokensByClientIdAndUserName. To search for all the tokens issued to all...
schatten
1

votes
1

answer
270

Views

Spring Security OAuth2 Resource Server retry/resilience

I’m developing a Resource Server using Spring Security OAuth2(http://projects.spring.io/spring-security-oauth/docs/oauth2.html) which interacts with Authorization Server to retrieve/validate Auth Tokens. The OAuth Flow used here is ‘client credentials’. The Application is working fine when Re...
Haran
1

votes
0

answer
263

Views

Apache Superset oauth2 with custom Spring-Security OAuth2 server

I am using Apache Superset and trying to configure its OAuth2 capability to connect to my (custom) Spring-Security OAuth2 server. Unfortunately, it ain't working right now. The stack track begins with this. 15:09:16.584 [qtp1885996206-21] ERROR org.springframework.boot.web.support.ErrorPageFilter...
mrbarret
1

votes
1

answer
330

Views

Spring boot 1.5.10 : implementing implicit grant

I am trying to implement Oauth2 with spring boot with the configurations as below Securty configuration: @Configuration @EnableWebSecurity(debug = true) @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private U...
Shadi
1

votes
2

answer
115

Views

How can I intercept and log errors that occur when hitting the TokenEndpoint?

Given the changes in the logging that were done in https://github.com/spring-projects/spring-security-oauth/issues/1271 and https://github.com/spring-projects/spring-security-oauth/issues/1290, I think it may be hard to please everyone with the logging that is present in the token endpoint. For inst...
Ronnie76er
1

votes
0

answer
274

Views

"AADSTS50058: A silent sign-in request was sent but no user is signed in

Use Case : I have two application : 1) First one is a Spring boot application, we are exposing our rest endpoint from here. I want to secure my first application using Azure AD when called from second application and I want to do it in a silent way, that is I should not be prompted for username and...
Piyush
1

votes
0

answer
786

Views

Zuul not forwading if have custom security configuration in microservice

I am facing issue when use zuul. Firstly I give information with my project. I use Zuul and Consul together in my project and I am trying to create own authentication and authorization system. For this I decide to use oAuth2 protocol with Spring Boot. So in this architecture, Zuul is receive reques...
T.Er
1

votes
1

answer
323

Views

Multiple Login endpoints Spring Security OAuth2

I'm trying to implement multiple login strategies for different user roles (Spring Security OAuth2 with Spring Boot 2), and each strategy should use a different endpoint. I have 3 user types, REGULAR, EXTERNAL, CLIENT, where regular logs in vía username/password, external logs in via documentId/key...
Desiderantes
1

votes
1

answer
911

Views

Handling error: InvalidRequestException, Missing grant type

Can someone be of help Please, I keep getting missing grant type, but the grant type exist. I have search online but still can get a solution to it. @Configuration @EnableAuthorizationServer public class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Value('${security.oauth2.client.acc...
Kunle Ajiboye
1

votes
1

answer
3.5k

Views

Spring Boot Security - How to disable security for Swagger UI

I have an application with only REST endpoints. I have enabled oauth2 token security via: @Configuration @EnableAuthorizationServer public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter { @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exce...
starman1979
1

votes
1

answer
948

Views

Enable Oauth2(Basic+password granttype) in Springboot 2.0,OAuth2LoginAuthenticationFilter class not found error

I am using spring-boot 2.0 and Spring security 5.0+ to create an authrorization server based on oauth2.0.I am getting below error when tomcat is starting even when spring-security-oauth2-client is in classpath as below. org.springframework.boot spring-boot-starter-security org.springframework.securi...
Isuru Samaraweera
1

votes
0

answer
279

Views

Caused by: org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException: Access is denied

I am developing Spring Cloud project and getting the below error when accessing the though client code not sure why I am getting Could not fetch user details: class org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException, Unable to obtain a new access token for resource 'null...
Jeff Cook
1

votes
1

answer
142

Views

Passing extra query/form parameters through spring social

I'm building a Single Page Application using Spring Social and Spring Security generated by JHipster. I'm trying to capture the original query parameters after a user has been authenticated by some social authentication provider. Example: calling /signin/someprovider?show=someEntityId and after a s...
1

votes
1

answer
32

Views

Apply RoleHierarchy to Client Roles

For the security roles in my application we defined a RoleHierarchy, but when we tried to check client-roles with @PreAuthorize('#oauth2.clientHasRole('somerole')') we notized that by default our Hirarchy is not appllied to Client-Roles. Is there some additional config required beyond setting the ro...
Laures
1

votes
0

answer
92

Views

Spring security stateless redirect to original url issue

I'm using spring security oauth with stateless sessions. But my problem is the spring is using SPRING_SECURITY_SAVED_REQUESTS to save the source URL to which it has to redirect to after a successful login and it is maintained in the session. Since I m using stateless session I'm always being redirec...
Alekha
1

votes
1

answer
302

Views

Spring oauth2 sso example doesn't work

I am trying to repeat actions described in the official tutorial(Spring Boot and OAuth2) I stuck on the section Hosting an Authorization Server I tried to download all sources from github but result the same I am trying to start sub project social-auth-server: I found 2 starters there: src\main\java...
gstackoverflow
1

votes
0

answer
159

Views

Spring slice test with OAuth2

I'm trying to make same slice test (@WebMvcTest) but the context of application is failing to start. I write a simple test: @WebMvcTest(value = [FeedbackEndpoint, FeedbackTestConfig]) class FeedbackEndpointSliceSpec extends Specification implements SampleFeedbacks { @TestConfiguration static class F...
rechandler
1

votes
1

answer
30

Views

Saving a previous authentication in Spring

As an authentication, the application (Service-X) uses a third-party internal service (Service-Y), in which all the information about the employees is stored. All internal services of the company use SSO. How to implement the ability to log in to Service-X if Service-Y is unavailable? (If I have alr...
vlavik007
1

votes
1

answer
170

Views

Spring OAuth2Sso can still login user when authorization server has no access or refresh token

I'm trying to logout users using spring OAuth2. I have a server with the @EnableOAuth2Sso annotation and a different server with the @EnableAuthorizationServer annotation. The Sso server uses the authorization_code flow to sign the user in and has a logout endpoint, which in turn contacts the autho...
J. Leander
1

votes
0

answer
404

Views

How to get jwt token string on service layer when user request first time using jwt, Oauth2, spring security?

I am new in development of micro-services with jwt. Here is my project structure: First micro-service is used to authenticate users by jwt and Oauth2 using username and password. This microservice is called auth-service. Login request url is like: [http://localhost:9092/oauth/[email protected]
sawai singh
1

votes
0

answer
2.3k

Views

Spring Boot: Full authentication is required to access this resource in OAUTH2

I am unable to redirect the call to spring security login page. While internal redirect call takes me to http://localhost:8081/auth/login but on doing so i get below error for /login Full authentication is required to access this resource unauthorized my client side runs on 8082 and server side runs...
Mohit Darmwal
1

votes
1

answer
60

Views

Getting resource from another resource in Oauth2

So here is a case: I have identity server, client application and resource(API). Identity server provides user info on the endpoint http://identityserver:8080/connect/userinfo. If you send a request with valid access token you will get additional information about user. If I need this information o...
Mário Jaroš
1

votes
0

answer
179

Views

spring ABAC with Oauth token

I am planning to leverage spring security to implement a mix of Oauth (Jwt) token based with ABAC ( attributed based access control model). The ABAC is introduced in spring 5. I have looked at the implementation, but I am struggling to integrate seamlessly with Oauth token. Appreciate for any advic...
Joey
1

votes
0

answer
416

Views

Spring Security OAuth2 and React SPA

I'm trying to get my head around spring security and OAuth 2.0. I have created an auth microservice which I want to use with my React SPA application where I have a login popup and register screen. Should I be creating another microservice (e.g user) which provides user management apis (e.g. login/...
Swordfish
1

votes
0

answer
257

Views

spring oauth2 resource server custom logic to validate token and set authentication object

My requirement is that i want to create my resource server whose resources would be secured via an external authorization server. The external authorization server has below properties. It provides its own sign-in sign-up pages. It redirects to my resource server URL via a returnURL(resource server...
Ishank Gupta
1

votes
0

answer
400

Views

How do I design a database for storing OAuth2 client details mapped to a given user using MySQL and Spring-OAuth2?

Background I am trying to make a public facing API that is gated behind an OAuth2 workflow. I've found example database designs using JPA Repositories/Spring-OAuth2, which is the framework that I'm using. I basically have this application, which is currently using an InMemory authentication, which I...
Elias Ranz
1

votes
0

answer
62

Views

Springboot Oauth2 : org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator$UnauthorizedException

I am trying to implement a fully functional Spring-boot oauth2. I manage to implement a login with success credential, I get the proper response with access_token and refresh_token, using /oauth/token Using correct username and password { 'access_token': 'b8c45984-c573-4837-9ef6-6896f308a286', 'toke...
Taj Masindi
1

votes
1

answer
35

Views

PCF App to App Oauth 2 grant_type = 'client_credentials' and scope uaa.resources. Local testing

I have created an app on PCF for Oauth 2 with grant_type = 'client_credentials' and scope uaa.resources. How do I test it in local without calling the actual URLs?
Jsrikoo

View additional questions