Announcement Announcement Module
Collapse
No announcement yet.
Token endpoit fails to authenticate client credentials from a client with form scheme Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Token endpoit fails to authenticate client credentials from a client with form scheme

    Hi guys~

    Token endpoint works great with clients of "header" client-authentication-scheme, but it fails on "form" scheme.

    client resource conf:

    Code:
    <oauth:resource id="gdpgame" type="authorization_code" client-id="mocksite" client-secret="secret"
    		access-token-uri="http://local-gdp.onlinegame.com/auth/token.nhn" user-authorization-uri="http://local-gdp.onlinegame.com/auth/authorize.nhn" scope="read" 
    		authentication-scheme="query" client-authentication-scheme="form"   />
    auth server conf:

    Code:
    <http pattern="/auth/token\.(nhn|json|xml).*" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
    		entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security" request-matcher="regex" >
    		<intercept-url pattern="/auth/token\.(nhn|json|xml).*" access="IS_AUTHENTICATED_FULLY" />
    		<anonymous enabled="false" />
    		
    		<!-- include this only if you need to authenticate clients via request parameters -->
    		<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
    		<access-denied-handler ref="oauthAccessDeniedHandler" />
    You can notice that basic auth filter is removed to support only form scheme.


    When i debugged the auth server, i found that following code from ClientCredentialsTokenEndpointFilter is little buggy:

    Code:
    @Override
    	protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
    		String uri = request.getRequestURI();
    		int pathParamIndex = uri.indexOf(';');
    
    		if (pathParamIndex > 0) {
    			// strip everything after the first semi-colon
    			uri = uri.substring(0, pathParamIndex);
    		}
    
    		String clientId = request.getParameter("client_id");
    
    		if (clientId == null) {
    			// Give basic auth a chance to work instead (it's preferred anyway)
    			return false;
    		}
    
    		return super.requiresAuthentication(request, response);
    	}
    i think it shoud return true when clientId is not null case, because super.requiresAuthentication(request, response) always return false so that attemptAuthentication method is not called.


    any ideas?

  • #2
    There is an integration test for this that works, so if there is a bug it isn't as obvious as that. Did you look at the implementation of super.requiresAuthentication()? Are you using the standard endpoint URLs?

    Comment


    • #3
      Yeah, super.requiresAuthentication() does nothing with client_id/client_secret
      protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
      String uri = request.getRequestURI();
      int pathParamIndex = uri.indexOf(';');

      if (pathParamIndex > 0) {
      // strip everything after the first semi-colon
      uri = uri.substring(0, pathParamIndex);
      }

      if ("".equals(request.getContextPath())) {
      return uri.endsWith(filterProcessesUrl);
      }

      return uri.endsWith(request.getContextPath() + filterProcessesUrl);
      }


      And I've changed original endpoint url to /auth/token.nhn

      Did you run the integration test without basic auth filter?

      Comment


      • #4
        It's probably your custom endpoint URL that's the problem. Raise a JIRA ticket and we can have a look in more detail.

        What do you mean about basic auth? The test is in sparklr2 if you want to try it yourself.

        Comment

        Working...
        X