I try to implement a RESTFul webservice with OAuth using this guide: https://spring.io/guides/tutorials/bookmarks
I can successfully retrieve a token:
curl -v -u android-bookmarks:123456 -X POST http://localhost:8080/oauth/token -H "Accept: application/json" -d "password=password&username=User1&grant_type=password&scope=write&client_secret=12345&client_id=android-bookmarks"
Response:
{"access_token":"cdafc45f-924a-4f87-8bd0-e3e2bdffa540","token_type":"bearer","refresh_token":"609efba8-edd3-4ea3-be7b-78e449cec0ef","expires_in":43199,"scope":"write"}* Connection #0 to host localhost left intact
When I try to access the resource:
curl -G http://localhost:8080/bookmarks -H "Authorization: Bearer cdafc45f-924a-4f87-8bd0-e3e2bdffa540"
I get the following response:
{"error":"access_denied","error_description":"Invalid token does not contain resource id (oauth2-resource)"}
The Java class setting the resource id:
@Configuration
@EnableResourceServer
@EnableAuthorizationServer
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {
public static final String RESOURCE_ID = "bookmarks";
@Autowired
AuthenticationManagerBuilder authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(new AuthenticationManager() {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
return authenticationManager.getOrBuild().authenticate(
authentication);
}
});
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.inMemory()
.withClient("android-" + RESOURCE_ID)
.authorizedGrantTypes("password", "authorization_code", "refresh_token")
.authorities("ROLE_USER")
.scopes("write")
.secret("123456")
.resourceIds(RESOURCE_ID);
}
}
When I change this code to:
clients.inMemory()
.withClient("android-" + applicationName)
.authorizedGrantTypes("password", "authorization_code", "refresh_token")
.authorities("ROLE_USER")
.scopes("write")
.secret("123456");
I can access the resource with the previously mentioned (curl) commands successfully.
When the Authorization Server grants authorization to a client, you can set which Resource Server resource services the client can access. The purpose of configuring ResourceID for client in authorization server is to restrict the resource services that a client can access.
An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook, and, of course, Auth0. Check out this document for more details on OpenID Connect.
A resource server is an OAuth 2.0 API server . To secure access-protected resources, it verifies access tokens from your app and authorizes access to your API. It verifies the issuer based on the token signature, validity based on token expiration, and access level based on the scopes in token claims.
Id_token_hint is an OPTIONAL parameter within the Authorization Request that indicates previously issued by the Authorization Server that is being passed as a hint about the End-User's current or past authenticated session with the OAuth Client.
An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server. Access tokens do not have to be in any particular format, and in practice, various OAuth servers have chosen many different formats for their access tokens.
OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials. Auth0 is an organisation, who manages Universal Identity Platform for web, mobile and IoT can handle any of them — B2C, B2B, B2E, or a combination.
Turns out that I had to implement the interface ResourceServerConfigurerAdapter. The following implementation works perfectly:
@Configuration
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter{
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers().antMatchers("/bookmarks", "/bookmarks/**")
.and()
.authorizeRequests().anyRequest().access("#oauth2.hasScope('write')");
// @formatter:on
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(OAuth2Configuration.RESOURCE_ID);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With