Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to use AuthorizationServerSecurityConfigurer?

Tags:

I am looking at a Spring boot project which has this code:

public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {     oauthServer         .tokenKeyAccess("permitAll()")         .checkTokenAccess("isAuthenticated()"); } 

Unfortunately, I am not able to find any resources anywhere (i.e. Google, Spring docs, Spring oauth docs) that explains to me how to actually use AuthorizationServerSecurityConfigurer. Moreover, I do not understand exactly what tokenKeyAccess("permitAll()") or checkTokenAccess("isAuthenticated()") do.

Other than helping me understand what those two functions do, please help me learn where to look for these types of information in the future.

like image 742
KZcoding Avatar asked Aug 19 '17 02:08

KZcoding


1 Answers

Spring Security OAuth exposes two endpoints for checking tokens (/oauth/check_token and /oauth/token_key). Those endpoints are not exposed by default (have access "denyAll()").

So if you want to verify the tokens with this endpoint you'll have to add this to your authorization servers' config:

@Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {     oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")                .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')"); } 

Some more details can be found in the "Resource Server Configuration" section of the Spring Security OAuth2 documentation.

like image 81
derkoe Avatar answered Oct 02 '22 22:10

derkoe