Getting invalid token using spring boot autoconfigure for the resource server

[brsvpr]

Hi,
I am trying to secure my Rest APIs.
I have created an auth server which is a spring boot project running separately.
I have put the auth server as below.

public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter {

private static final Logger log = LoggerFactory.getLogger(AuthServerOAuth2Config.class);

@Autowired
private AuthenticationManager authenticationManager;

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
	clients
		.inMemory()
		.withClient("test")
		.secret("testsecret")
		.authorizedGrantTypes("client_credentials")
		.scopes("write", "read");
}	

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    /*
     * Allow our tokens to be delivered from our token access point as well as for tokens
     * to be validated from this point
     */
    security.checkTokenAccess("permitAll()");
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
	endpoints.tokenStore(new InMemoryTokenStore()).authenticationManager(authenticationManager);
}

}

So auth server code is working and I am able to access a token by using the below end point url.
http://localhost:9092/uaa/oauth/token

I am able to validate the token / get the client info by using the below end point url.
http://localhost:9092/uaa/oauth/check_token?token=08ed1c9c-a371-43cc-b456-407fcde0b315

I have created a resource server which is a spring boot project running separately which has few Rest APIs accessible by end point URLs that needs to be secured. Below are the properties in the application.properties.
security.oauth2.resource.token-info-uri=http://localhost:9092/uaa/oauth/check_token
security.oauth2.resource.token-type=Bearer
security.oauth2.client.client-id=test
security.oauth2.client.client-secret=testsecret
security.oauth2.client.grant-type=client_credentials
security.oauth2.client.scope=write

I would assume that by mentioning the above properties, spring boot will first validate the token against the auth server by calling the token-info-uri mentioned above.

Now I am testing with POSTMAN by passing the "Bearer " as Authorization header to the one of the APIs in the resource server. I am getting the below error.
{
"error": "invalid_token",
"error_description": "08ed1c9c-a371-43cc-b456-407fcde0b315"
}

Though I can validate this token using the individual end point url "oauth/check_token", I am not able to validate this by accessing the APIs in the resource server.
Please help.

Thanks,
Sai

[brsvpr]

@here - Hi All, can any one please help me in this issue ? This is a bit urgent for me to bring this to a closure.

Thanks

[jgrandja]

@brsvpr Can you also provide the config for your ResourceServerConfigurerAdapter? It may not be related to the call to /oauth/check_token from the Resource Server.

If you can provide a complete sample that reproduces this issue that would be the most helpful.

[brsvpr]

@jgrandja - Hi Joe, Thanks for your response. I don't have any config for ResourceServerConfigurerAdapter.
I just mentioned the above listed properties in the application.properties file in the resource server project.
Can you please suggest if I am missing something or please correct me. Thank you very much.

[brsvpr]

@jgrandja - Also you may please help me with ResourceServerConfigurerAdapter config for this case if this is required. Thanks.

[jgrandja]

Are you using the annotation @EnableResourceServer?

[brsvpr]

@jgrandja - Yes, I am using this annotation. Below is the class in the resource server project.

@EnableResourceServer
@SpringBootApplication
public class Application {
private static final Logger log = LoggerFactory.getLogger(Application.class);

public static void main(String[] args) throws Exception {
	try {
		SpringApplication.run(Application.class);

		log.info("\n\nCustomer Rest Service Started.................!\n\n");
	} catch (Exception e) {
		e.printStackTrace();
		log.error(e.getMessage());
	}
}

}

[brsvpr]

@jgrandja - In the annotations mentioned in the code above, the first letters are in capitals but not sure why it took in small letter after submitting the comment.

[jgrandja]

@brsvpr Take a look at this sample. Checkout the opaque-token-support branch which will show you how to setup your oauth2 authz rules in @EnableResourceServer, for example:

.access("#oauth2.hasScope('read')

[brsvpr]

@jgrandja - Thanks Joe. I will take a look at this. However, I have already mentioned the below in the resource server application.properties file. Hope spring boot will identify this.
security.oauth2.client.scope=write

[jgrandja]

@brsvpr RemoteTokenServices is used by the Resource Server to call the CheckTokenEndpoint on the Authorization Server and client authentication is performed using HTTP Basic. So the Resource Server uses client-id and client-secret to create the Authorization header with Basic credentials.

Your configuration has:

...
security.oauth2.client.grant-type=client_credentials
security.oauth2.client.scope=write
...

You would only need these 2 properties if the client was performing the client_credentials flow, which is not the case for the call to the CheckTokenEndpoint. Both of these properties are not used and are not applicable here.

[brsvpr]

@jgrandja - Yes Joe. My auth server has configured for the "client_credentials" grant_type.
My requirement is to:

1. get the bearer token from the auth server
2. validate the token before calling the Rest API in the resource server.

[brsvpr]

@jgrandja - Hi Joe,

I have removed the below properties in the resource server.
security.oauth2.client.grant-type=client_credentials
security.oauth2.client.scope=write

Also put the code in the resource server by extending ResourceServerConfigurerAdapter.
@OverRide
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/customer/")
.authorizeRequests()
.antMatchers("/customer/").access("#oauth2.hasScope('write')");
}

Still I get the below response.
{
"error": "invalid_token",
"error_description": "fc30d553-6c00-421f-9a21-f15ad651a962"
}

[jgrandja]

@brsvpr The sample I provided works so take a look at it closely and follow that setup. If you still can't get it working than publish your app to a GitHub repo and I'll take a look at it.

[brsvpr]

@jgrandja - I am mentioning my entire code here. Please help me with any corrections.

Below is the auth server code.
_@Configuration
@EnableAuthorizationServer
public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter {

private static final Logger log = LoggerFactory.getLogger(AuthServerOAuth2Config.class);

@Autowired
private AuthenticationManager authenticationManager;

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
	
	log.info("\n\nIn Memory Authorization Server Before Registering Client .................!\n\n");
	
	clients
		.inMemory()
		.withClient("test")
		.secret("testsecret")
		.authorizedGrantTypes("client_credentials")
		.scopes("write", "read");
	
	log.info("\n\nIn Memory Authorization Server After Registering Client .................!\n\n");
}	

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    /*
     * Allow our tokens to be delivered from our token access point as well as for tokens
     * to be validated from this point
     */
    security.checkTokenAccess("permitAll()");
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
	endpoints.authenticationManager(authenticationManager).tokenStore(new InMemoryTokenStore()).approvalStoreDisabled();
}

}_

Below are the application.properties in the auth server.
server.port=9092
server.contextPath=/uaa
security.user.name=none
security.user.password=none

Below is the resource server configuration.
_@EnableResourceServer
@SpringBootApplication
public class Application extends ResourceServerConfigurerAdapter {
private static final Logger log = LoggerFactory.getLogger(Application.class);

public static void main(String[] args) throws Exception {
	try {
		SpringApplication.run(Application.class);

		log.info("\n\nCustomer Rest Service Started.................!\n\n");
	} catch (Exception e) {
		e.printStackTrace();

		log.error(e.getMessage());
	}
}

@Override
public void configure(HttpSecurity http) throws Exception {
	http
		.antMatcher("/customer/**")
		.authorizeRequests()
			.antMatchers("/customer/**").access("#oauth2.hasScope('write')");
}

}_

Below are the application.properties in the resource server.
server.port=9091
security.oauth2.resource.token-info-uri=http://localhost:9092/uaa/oauth/check_token
security.oauth2.resource.token-type=Bearer
security.oauth2.client.client-id=test
security.oauth2.client.client-secret=testsecret
#security.oauth2.client.grant-type=client_credentials
#security.oauth2.client.scope=write
spring.security.user.name=none
spring.security.user.password=none

And I have a rest controller in the resource server that has couple of Rest APIs.

[brsvpr]

@jgrandja - FYI, I am testing this using POSTMAN application, so I think I don't need a separate client app.