Spring Security OAuth2 check_token endpoint
You have to
@Overridepublic void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception{ oauthServer.checkTokenAccess("permitAll()"); }
For more information on this ::
Just to clarify a couple of points, and to add some more information to the answer provided by Pratik Shah (and by Alex in the related thread):
1- The configure
method mentioned is overridden by creating a class that extends AuthorizationServerConfigurerAdapter
:
@EnableAuthorizationServer @Configuration public class AuthServerConfig extends AuthorizationServerConfigurerAdapter { @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()"); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients .inMemory() .withClient("ger-client-id") .secret("ger-secret") .authorizedGrantTypes("password") .scopes("read", "write"); } }
2- I suggest reading this Spring guide explaining the automatic configuration carried out by Spring Boot when we include the @EnableAuthorizationServer
annotation, including an AuthorizationServerConfigurer
bean. If you create a configuration bean extending the AuthorizationServerConfigurerAdapter
as I did above, then that whole automatic configuration is disabled.
3- If the automatic configuration suits you just well, and you JUST want to manipulate the access to the /oauth/check_token
endpoint, you can still do so without creating an AuthorizationServerConfigurer
bean (and therefore without having to configure everything programmatically).
You'll have to add the security.oauth2.authorization.check-token-access
property to the application.properties
file, for example:
security.oauth2.client.client-id=ger-client-idsecurity.oauth2.client.client-secret=ger-secretsecurity.oauth2.client.scope=read,writesecurity.oauth2.authorization.check-token-access=permitAll()
Of course, you can give it an isAuthenticated()
value if you prefer.
You can set the log level to DEBUG to check that everything is being configured as expected:
16:16:42.763 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/check_token']
There is no much documentation about these properties, but you can figure them out from this autoconfiguration class.
One last thing worth mentioning, even though it seems to be fixed in latest Spring versions, I just submitted an issue in the spring-security-oauth project; it seems that the token_check functionality is enabled by default if you add a trailing slash to the request:
$ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58{"scope":["read","write"],"active":true,"exp":1544940147,"authorities":["ROLE_USER"],"client_id":"ger-client-id"}
There are three POST parameters, namely client_id (user name), client_secret (password corresponding to the user name), token (token applied for), client_id, client_secret are different from the parameters in the /oauth/token interface