spring-security-oauth2 2.0.7 refresh token UserDetailsService Configuration - UserDetailsService is required

Question

I would have one question regarding the configuration of spring-security-oauth2 2.0.7 please. I am doing the Authentication using LDAP via a GlobalAuthenticationConfigurerAd

Answer 1

What you need for the OAuth piece is to create an LdapUserDetailsService with the same query as you authenticator and inject it into the AuthorizationServerEndpointsConfigurer. I don't think there's any support for creating a UserDetailService in @Configuration style (might be worth opening a ticket for that in JIRA), but it looks like you can do it in XML.

Answer 2

As advised by Dave Syer, I created a custom LdapUserDetailsService. The working solution can be found under the following tag.

Application Context

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <context:annotation-config/>
    <context:property-placeholder location="application.yml"/>

    <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <constructor-arg value="${authentication.ldap.url}" />
    </bean>

    <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0" value="${authentication.ldap.userSearchBase}" />
        <constructor-arg index="1" value="uid={0}" />
        <constructor-arg index="2" ref="contextSource"/>
    </bean>

    <bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <constructor-arg index="0" ref="contextSource"/>
        <constructor-arg index="1" value="${authentication.ldap.groupSearchBase}"/>
        <property name="groupSearchFilter" value="${authentication.ldap.groupSearchFilter}"/>
    </bean>

    <bean id="myUserDetailsService"
          class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
        <constructor-arg index="0" ref="userSearch"/>
        <constructor-arg index="1" ref="ldapAuthoritiesPopulator"/>
    </bean>

</beans>

Properties

authentication:
 ldap:
  url: ldap://127.0.0.1:33389/dc=springframework,dc=org
  userSearchBase:
  userDnPatterns: uid={0},ou=people
  groupSearchBase: ou=groups
  groupSearchFilter: (uniqueMember={0})

Answer 3

I had a similar issue when I was implementing a a OAuth2 server with JWT tokens with a custom AuthenticationProvider instead of a UserDetailsService implementation to solve login authentications.

But lately I found that the error Spring raises is correct if you want the refresh_token working correctly. For an AuthenticationProvider implementation is impossible to refresh a token with a refresh_token, because in that kind of implementation you have to resolve if the password is correct, but the refresh token doesn't have that information. However, UserDetailsService is agnostic of the password.

The version 2.0.6 of spring-security-oauth2 works because never checks the user grants, just checks if the refresh token is valid (signed with the private key), but, if the user was deleted from the system after a first login, with a refresh token the deleted user will have infinite time access to your system, that is a big security issue.

Take a look to the issue I reported with this: https://github.com/spring-projects/spring-security-oauth/issues/813