Protecting REST API with OAuth2: Error creating bean with name 'scopedTarget.oauth2ClientContext': Scope 'session' is not active

An even easier way to enable the request context listener is to add a bean annotation into your app.

@Beanpublic RequestContextListener requestContextListener() {    return new RequestContextListener();}

I ended up resolving this thing after looking into Spring documentation.

It turned out that the scope context didn't actually exist in my app, because I hadn't initialized it.

I initialized it by adding this listener:

<listener> <listener-class>        org.springframework.web.context.request.RequestContextListener </listener-class></listener>

I'm proving the code that I have right now, but I'm in no way married to this implementation. If you can show me some radically different way to accomplish what I want to accomplish, great

If your main problem is implementing the Resource Server and also, you are open to totally different solutions, you can use Spring Boot's resource server auto configurations. This way you would have a ResourceServerConfiguration such as following:

@Configuration@EnableResourceServerpublic class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {    @Override    public void configure(HttpSecurity http) throws Exception {        http                .authorizeRequests()                    .anyRequest().authenticated();        // you can put your application specific configurations here        // here i'm just authenticating every request    }}

With an application.yml config file in your src/main/resources:

security:  oauth2:    client:      client-id: client      client-secret: secret    resource:      token-info-uri: http://localhost:8888/oauth/check_token

You should add your client-id, client-secret and token-info-uri there. token-info-uri is the endpoint on Authorization Server that our resource server is going to consult about the validity of passed Access Tokens.

With these arrangements, if the client fire a request to, say, /api/greet API:

GET /api/greet HTTP/1.1Host: localhost:8080Authorization: bearer cef63a29-f9aa-4dcf-9155-41fb035a6cdb

Our resource server will extract the Bearer access token from the request and send the following request to the authorization server to validate the access token:

GET /oauth/check_token?token=cef63a29-f9aa-4dcf-9155-41fb035a6cdb HTTP/1.1Host: localhost:8888Authorization: basic base64(client-id:client-secret)

If token was valid, authorization server send a 200 OK response with a JSON body like following:

{"exp":1457684735,"user_name":"me","authorities":["ROLE_USER"],"client_id":"client","scope":["auth"]}

Otherwise, it will return a 4xx Client Error.

This was a maven project with a pom.xml like following:

<parent>    <groupId>org.springframework.boot</groupId>    <artifactId>spring-boot-starter-parent</artifactId>    <version>1.3.3.RELEASE</version></parent><dependencies>    <dependency>        <groupId>org.springframework.boot</groupId>        <artifactId>spring-boot-starter-web</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.boot</groupId>        <artifactId>spring-boot-starter-security</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.security.oauth</groupId>        <artifactId>spring-security-oauth2</artifactId>    </dependency></dependencies>

And a typical Application class:

@SpringBootApplicationpublic class Application {    public static void main(String[] args) {        SpringApplication.run(Application.class, args);    }}

You can check out the spring boot documentation on resource server auto configurations here.