Announcement Announcement Module
Collapse
No announcement yet.
OAUth2 - Full authentication is required - after token request Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAUth2 - Full authentication is required - after token request

    Hi to all,

    i'm really new about using OAuth and Spring security.

    I'm following a book where i've find an example of client/server that are using OAUth2 (Restful Web Service)

    I do my authorize like this

    http://192.168.1.32:8080/support/oau...2F%2Flocalhost

    After this, the server show me the accept button and i will be redirected here:

    http://192.168.1.32:8080/support/oauth/token

    This is the information that i'm sending to the server (i use Rest Client from Firefox )
    code 05CYS1
    client_id TestClient
    client_secret secretKey
    redirect_uri http://localhost
    grant_type authorization_code
    The server reply me with:

    <oauth>
    <error_description>Full authentication is required to access this resource</error_description>
    <error>unauthorized</error>
    </oauth>

    If you want additional information i can give to you.

    Really Thanks.

  • #2
    I`ve seen that when i go to oauth/authorize, endpoint use the right authentication. When, after it, i call oauth/token, it "lost the authentication" and use AnonymusAuthentication.

    This is the log stack after pressing ACCEPT:

    Code:
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/authorize'; against '/resource/**'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/authorize'; against '/favicon.ico'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/authorize'; against '/oauth/token'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/authorize'; against '/services/**'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    org.springframework.security.web.context.HttpSessi onSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.Securit [email protected]: Authentication: org.springframework.security.authentication.Userna [email protected]: Principal: Nicholas; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We [email protected]: RemoteIpAddress: 192.168.0.51; SessionId: 03C2A62D69E67060B726260BCE4ED66F; Granted Authorities: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 2 of 12 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 3 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    org.springframework.security.web.authentication.An onymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.Usern [email protected]: Principal: Nicholas; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We [email protected]: RemoteIpAddress: 192.168.0.51; SessionId: 03C2A62D69E67060B726260BCE4ED66F; Granted Authorities: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/authorize at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/authorize'; against '/session/list'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/authorize'; against '/oauth/**'
    org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /oauth/authorize; Attributes: [hasAuthority('USE_WEB_SERVICES')]
    org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.Userna [email protected]: Principal: Nicholas; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We [email protected]: RemoteIpAddress: 192.168.0.51; SessionId: 03C2A62D69E67060B726260BCE4ED66F; Granted Authorities: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
    org.springframework.security.access.vote.Affirmati veBased - Voter: org.springframework.security.web.access.expression .[email protected], returned: 1
    org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Authorization successful
    And this is the stack after invoking oauth/token

    Code:
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/token'; against '/resource/**'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/token'; against '/favicon.ico'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
    org.springframework.security.web.FilterChainProxy - /oauth/token at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/token at position 2 of 7 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/token at position 3 of 7 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/token at position 4 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/token at position 5 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    org.springframework.security.web.authentication.An onymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony [email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We [email protected]: RemoteIpAddress: 192.168.0.51; SessionId: BCC9FC00E4F361573CDA079B0D258451; Granted Authorities: ROLE_ANONYMOUS'
    org.springframework.security.web.FilterChainProxy - /oauth/token at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    org.springframework.security.web.FilterChainProxy - /oauth/token at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    org.springframework.security.web.util.matcher.AntP athRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
    org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /oauth/token; Attributes: [hasAuthority('OAUTH_CLIENT')]
    org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.Anonym [email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We [email protected]: RemoteIpAddress: 192.168.0.51; SessionId: BCC9FC00E4F361573CDA079B0D258451; Granted Authorities: ROLE_ANONYMOUS
    org.springframework.security.access.vote.Affirmati veBased - Voter: org.springframework.security.web.access.expression .[email protected], returned: -1
    org.springframework.security.web.access.ExceptionT ranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point

    Comment


    • #3
      The exact same thing is happening to me. I'm using all Java configs. JDBC token store, JDBC approval store, JDBC clients details. The oauth_approvals is clearly persisting the approval but during /oauth/token it hits the AnonymousAuthenticationFilter for some reason and it loses my authentication.

      https://gist.github.com/michaelmccas...114ddaae04fa32
      Last edited by mmccaskill; Jun 1st, 2014, 08:40 PM.

      Comment


      • #4
        Hi,

        i've solve this sending in the header the Authentication field with:

        Authentication: Basic client_id:client_secret (in Base 64)

        With this on, the server use BasicAuthenticationFilter and not AnonymusFilter.

        Try with this and let me know if will works for you too.

        Comment


        • #5
          Ok I'll give that a try. The interesting thing is I have applications that currently work with Spring Security OAuth 1.0.x but upgrading to 2.0.x and they break.

          Comment


          • #6
            I solved it based on your answer. Unfortunately I'm not in a position to fix the clients so I solved it by enabling form authentication for clients.

            https://github.com/spring-projects/s...uth/issues/211

            Comment

            Working...
            X