Announcement Announcement Module
No announcement yet.
OAuth2 - request Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth2 - request

    I was wondering how what is the proper way of making an API call to my OAuth2 server so that it verifies the access_token?

    The request I'm using is set up as follows:

    The setup for the action is as follows (in the server):

    <http pattern="/user/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager" xmlns="" >
    <intercept-url pattern="/user/{access_token}" access="ROLE_USER,SCOPE_READ" />
    <intercept-url pattern="/user/trusted/message" access="ROLE_CLIENT,SCOPE_READ" />
    <intercept-url pattern="/user/message" access="ROLE_USER,SCOPE_READ" />
    <intercept-url pattern="/user/**" access="ROLE_USER,SCOPE_READ" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />

    Basically, the request does go through to the action, but the Principal is not found and it seems that nothing is being done with the "access_token" in the request.

  • #2
    You're supposed to send the access token in an Authorization header (per the spec). If you want to send it via a request parameter that should work too. Show us the <resource-server/> configuration? Are you using the latest snapshot, or M6?


    • #3
      Is there a sample I can look at for the Authorization header?

      The <resource-server/> config is as follows:
      <oauth:resource-server id="resourceServerFilter" resource-id="optimal-security" token-services-ref="tokenServices" />

      And the "client-details-service" as follows:

      <oauth:client client-id="optimal-application" resource-ids="optimal-security"
      authorized-grant-types="password,authorization_code,refresh_token,i mplicit"
      authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" />


      • #4
        And the resourceServerFilter is included in the Spring Security filter (you can tell by looking at debug logs)?

        The spec has a plenty of examples of authorization headers, but it's pretty simple: "Authorization: Bearer <tokenvalue>".