I am looking at a Spring boot project which has this code:
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()"); }
Unfortunately, I am not able to find any resources anywhere (i.e. Google, Spring docs, Spring oauth docs) that explains to me how to actually use AuthorizationServerSecurityConfigurer
. Moreover, I do not understand exactly what tokenKeyAccess("permitAll()")
or checkTokenAccess("isAuthenticated()")
do.
Other than helping me understand what those two functions do, please help me learn where to look for these types of information in the future.
Spring Security OAuth exposes two endpoints for checking tokens (/oauth/check_token
and /oauth/token_key
). Those endpoints are not exposed by default (have access "denyAll()").
So if you want to verify the tokens with this endpoint you'll have to add this to your authorization servers' config:
@Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')") .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')"); }
Some more details can be found in the "Resource Server Configuration" section of the Spring Security OAuth2 documentation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With