Spring Security OAuth2 check_token endpoint

You have to

@Overridepublic void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception{   oauthServer.checkTokenAccess("permitAll()");    }

For more information on this ::

How to use RemoteTokenService?

Just to clarify a couple of points, and to add some more information to the answer provided by Pratik Shah (and by Alex in the related thread):

1- The configure method mentioned is overridden by creating a class that extends AuthorizationServerConfigurerAdapter:

    @EnableAuthorizationServer    @Configuration    public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {        @Override        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {            oauthServer.tokenKeyAccess("permitAll()")                .checkTokenAccess("isAuthenticated()");        }        @Override        public void configure(ClientDetailsServiceConfigurer clients) throws     Exception {            clients                    .inMemory()                    .withClient("ger-client-id")                    .secret("ger-secret")                    .authorizedGrantTypes("password")                    .scopes("read", "write");        }    }

2- I suggest reading this Spring guide explaining the automatic configuration carried out by Spring Boot when we include the @EnableAuthorizationServer annotation, including an AuthorizationServerConfigurer bean. If you create a configuration bean extending the AuthorizationServerConfigurerAdapter as I did above, then that whole automatic configuration is disabled.

3- If the automatic configuration suits you just well, and you JUST want to manipulate the access to the /oauth/check_token endpoint, you can still do so without creating an AuthorizationServerConfigurer bean (and therefore without having to configure everything programmatically).

You'll have to add the security.oauth2.authorization.check-token-access property to the application.properties file, for example:

security.oauth2.client.client-id=ger-client-idsecurity.oauth2.client.client-secret=ger-secretsecurity.oauth2.client.scope=read,writesecurity.oauth2.authorization.check-token-access=permitAll()

Of course, you can give it an isAuthenticated() value if you prefer.

You can set the log level to DEBUG to check that everything is being configured as expected:

16:16:42.763 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/check_token']

There is no much documentation about these properties, but you can figure them out from this autoconfiguration class.

One last thing worth mentioning, even though it seems to be fixed in latest Spring versions, I just submitted an issue in the spring-security-oauth project; it seems that the token_check functionality is enabled by default if you add a trailing slash to the request:

$ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58{"scope":["read","write"],"active":true,"exp":1544940147,"authorities":["ROLE_USER"],"client_id":"ger-client-id"}

There are three POST parameters, namely client_id (user name), client_secret (password corresponding to the user name), token (token applied for), client_id, client_secret are different from the parameters in the /oauth/token interface

enter image description here