Announcement Announcement Module
Collapse
No announcement yet.
Sending user to /oauth/authorize results in 'missing verfication code' Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Sending user to /oauth/authorize results in 'missing verfication code'

    Hi all,

    I am still trying to got an oauth2 provider up. To begin with the oauth dance a client is supposed to send the user via redirect to the service provider and request authorization. So I do this:

    send user to:
    http://localhost:9001/oauth2/oauth/a...F%2Fspiegel.de

    What I would expect is that my spring-security defined login page comes up... but instead, this is what is returned:

    {
    "error": "invalid_request",
    "error_description": "A verification code must be supplied."
    }

    So what is wrong? Would I need to "secure" the /oauth/authorize mapping to have the login page com up?

    Again including all my config below -thanx for your help!
    Code:
    	<http auto-config='true' access-denied-page="/login.jsp">
    		<intercept-url pattern="/rest/**" access="ROLE_USER" />
    		<intercept-url pattern="/request_token_authorized.jsp"
    			access="ROLE_USER" />
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<form-login authentication-failure-url="/login.jsp" 
    			default-target-url="/index.jsp" login-page="/login.jsp"
    			login-processing-url="/login.do" />
    		<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
    	</http>
    
    	<authentication-manager>
    		<authentication-provider>
    			<user-service>
    				<user name="sven" password="nevs" authorities="ROLE_USER, ROLE_ADMIN" />
    				<user name="demo" password="1234" authorities="ROLE_USER" />
    			</user-service>
    		</authentication-provider>
    	</authentication-manager>
    
    	<beans:bean id="tokenServices"
    		class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
    		<beans:property name="supportRefreshToken" value="true" />
    	</beans:bean>
    
    	<oauth:provider client-details-service-ref="clientDetails"
    		token-services-ref="tokenServices"  
    		authorization-url="/oauth/authorize" ><!-- authorization url is default -->
    		<oauth:verification-code user-approval-page="/oauth/confirm_access" />
    	</oauth:provider>
    
    	<oauth:client-details-service id="clientDetails">
    		<oauth:client clientId="my-trusted-client"
    			authorizedGrantTypes="password,authorization_code,refresh_token" />
    		<oauth:client clientId="my-trusted-client-with-secret"
    			authorizedGrantTypes="password,authorization_code,refresh_token"
    			secret="somesecret" />
    		<oauth:client clientId="my-less-trusted-client"
    			authorizedGrantTypes="authorization_code" />
    		<oauth:client clientId="tonr" authorizedGrantTypes="authorization_code" />
    	</oauth:client-details-service>

  • #2
    got the answer...

    OK, I can answer a couple questions myself after digging into the source code.

    The most interestign finding that helped most was looking into the Oauth2 VerificationCodeFilter. It has a default processing URL defined as a default that I have never seen anywhere in the docs:

    public static final String DEFAULT_PROCESSING_URL = "/oauth/user/authorize";

    So that made me try a request like this against my running server from the borwser:

    GET http://localhost:9001/oauth2/oauth/u...F%2Fspiegel.de

    This will forward to /oauth/confirm_access which initially was not protected in my setup. So I created this spring config to protect the confirm_access page:
    Code:
    	<http auto-config='true' access-denied-page="/login.jsp">
    		<intercept-url pattern="/rest/**" access="ROLE_USER" />
    		<intercept-url pattern="/request_token_authorized.jsp"
    			access="ROLE_USER" />
    		<intercept-url pattern="/oauth/confirm_access" access="ROLE_USER" />			
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<form-login authentication-failure-url="/login.jsp" 
    			default-target-url="/index.jsp" login-page="/login.jsp"
    			login-processing-url="/login.do" />
    		<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
    	</http>
    I cleared all cookies, and requested teh page again. I now got the login page, logged in, got the access confirmation page, confirmed and got a redirect to teh configured redirect_uri with ?code=XXX appended to it.

    With that information, I was able to construct the access token request as follows:

    http://localhost:9001/oauth2/oauth/a...F%2Fspiegel.de

    An boom, here we go the access token:

    Code:
    {
    
        access_token: "c45e3516-7783-4367-864a-8365e745f6be"
        expires_in: 43199
        refresh_token: "bb92a1ae-5699-4e98-acea-442952271095"
    
    }
    So for so good!

    Comment


    • #3
      Hi,
      How to get the resource data using the access token. I'm looking for for past 2 days and no help. Any hint or help will be highly useful.
      Thanks in advance.

      Comment


      • #4
        Originally posted by hansamann View Post
        Would I need to "secure" the /oauth/authorize mapping to have the login page com up?
        Yes. It's not magic, just standard Spring Security configuration to ensure that the endpoint is protected. It's up to you how to do the authentication (the sparklr sample has an in memory user database and a login page).

        Comment

        Working...
        X