Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security oauth2 client - problem with Twitter

I want to add Twitter oAuth2 to my application. Earlier I added Facebook and google with success - I didn't have to add provider. When i try to add twitter data to application.properties file and run server i get error:

Error starting Tomcat context. Exception: org.springframework.beans.factory.UnsatisfiedDependencyException. Message: Error creating bean with name 'securityConfig': Unsatisfied dependency expressed through method 'setContentNegotationStrategy' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration': Unsatisfied dependency expressed through method 'setConfigurers' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through method 'setClientRegistrationRepository' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'spring.security.oauth2.client-org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties': Invocation of init method failed; nested exception is java.lang.IllegalStateException: Client id must not be empty.

This is my configuration:

spring.security.oauth2.client.registration.facebook.clientId=<SECRET>
spring.security.oauth2.client.registration.facebook.clientSecret=<SECRET>
spring.security.oauth2.client.registration.facebook.redirect-uri=http://localhost:8080/oauth2/callback/facebook
spring.security.oauth2.client.registration.facebook.scope=public_profile email


spring.security.oauth2.client.registration.twitter.clientId=<SECRET>
spring.security.oauth2.client.registration.twitter.clientSecret=<SECRET>
spring.security.oauth2.client.registration.twitter.redirect-uri=http://localhost:8080/oauth2/callback/twitter
spring.security.oauth2.client.registration.twitter.provider=twitter
spring.security.oauth2.client.registration.twitter.authorization-grant-type=token
spring.security.oauth2.client.provider.twitter.token-uri=https://api.twitter.com/oauth/token
spring.security.oauth2.client.provider.twitter.authorization-uri=https://api.twitter.com/oauth/authorize
spring.security.oauth2.client.provider.twitter.user-info-uri=https://api.twitter.com/oauth/request_token

I add client ID so where is problem. And I hope I correct add oauth urls to configuration.

@Update I found problem :) Typo in here:

spring.security.oauth2.client.registration.twiter.authorization-grant-type=token

@UPDATE Now i have another problem, this is my configuration:

spring.security.oauth2.client.registration.twitter.client-id=<SECRET>
spring.security.oauth2.client.registration.twitter.clientSecret=<SECRET>
spring.security.oauth2.client.registration.twitter.redirect-uri=http://localhost:8080/oauth2/callback/twitter
spring.security.oauth2.client.registration.twitter.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.twitter.token-uri=https://api.twitter.com/oauth/access_token
spring.security.oauth2.client.provider.twitter.authorization-uri=https://api.twitter.com/oauth/authorize

And after i call: http://127.0.0.1:8080/oauth2/authorization/twitter i see this: enter image description here

like image 683
JuniorWithEverything Avatar asked Oct 14 '19 16:10

JuniorWithEverything


People also ask

What version of Spring Security do I use for OAuth?

For the latest stable version, please use Spring Security 5.7.2! The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework. The HttpSecurity.oauth2Client () DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.

Does Twitter support OAuth2?

Twitter does not support Oauth 2.0 flows involving user. It only supports the application only OAuth 2.0 Bearer Token: OAuth 2.0 Bearer Token is the application-only authentication method for authenticating with the Twitter API. As this method is specific to the application, it does not involve any users

What is oauth2authorizedclientmanager and clientregistration?

The OAuth2AuthorizedClientManager is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more OAuth2AuthorizedClientProvider (s). ClientRegistration is a representation of a client registered with an OAuth 2.0 or OpenID Connect 1.0 Provider.

How do I check for OAuth tokens in Spring Security?

For checking oauth tokens, Spring Security oauth exposes two endpoints – /oauth/check_token and /oauth/token_key. These endpoints are protected by default behind denyAll (). tokenKeyAccess () and checkTokenAccess () methods open these endpoints for use.


1 Answers

  • Your question is about using oauth2 client with Twitter and is not possible. Twitter does not support Oauth 2.0 flows involving user.

  • It only supports the application only OAuth 2.0 Bearer Token:

    OAuth 2.0 Bearer Token is the application-only authentication method for authenticating with the Twitter API. As this method is specific to the application, it does not involve any users

    https://developer.twitter.com/en/docs/basics/authentication/oauth-2-0

  • For flows involving end user, it uses Oauth 1.0a https://developer.twitter.com/en/docs/basics/authentication/oauth-1-0a

  • As you can see in the diagram below, Oauth 1.0a flow, your application first needs to talk to Authorisation Server to get a request token and pass that token when redirecting the user to authorisation server. And it is the token, that twitter is complaining as missing because it is Oauth 1.0a. I.e you are doing step B without step A.

    enter image description here

Diagram Reference

https://oauth.net/core/1.0/

like image 155
Kavithakaran Kanapathippillai Avatar answered Sep 22 '22 00:09

Kavithakaran Kanapathippillai