Configuring resource server with RemoteTokenServices in Spring Security Oauth2

Question

I\'m trying to implement a authorization server and a resource server using spring security oauth2. So far i\'ve managed to setup the authorization server and since i dont w

Answer 1

along with making your tokenService method @Primary as told in https://stackoverflow.com/a/40626102/3044680 , form springboot 1.5 onwards add security.oauth2.resource.filter-order = 3 to application.properties

Answer 2

/oauth/check_token must configure permission separately, it is 'denyAll' by default. If you add logging.level.org.springframework.security=DEBUG in properties, you can found the following logging lines:

2017-09-14 14:52:01.379  INFO 15591 --- [           main] b.a.s.AuthenticationManagerConfiguration : 
Using default security password: f1f7e508-4a30-4aad-914f-d0e90da6079a
2017-09-14 14:52:01.775 DEBUG 15591 --- [           main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'fullyAuthenticated', for Ant [pattern='/oauth/token']
2017-09-14 14:52:01.872 DEBUG 15591 --- [           main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'denyAll()', for Ant [pattern='/oauth/token_key']
2017-09-14 14:52:01.879 DEBUG 15591 --- [           main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'denyAll()', for Ant [pattern='/oauth/check_token']

I don't know how to permit it in xml, but by javaconfig as follow

@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.checkTokenAccess("isAuthenticated()");
        // security.checkTokenAccess("permitAll");
    }
}

I found How to enable /oauth/check_token with Spring Security Oauth2 using XML. Maybe help.

Answer 3

You may be able to get this working simply through property config. Try putting this in your application.yml, along with your HttpSecurity config for the /cards/ URI.

security:
  oauth2:
    resource:
      token-info-uri: https://[your token validation endpoint]
      preferTokenInfo: true

Having @EnableWebSecurity and @EnableResourceServer is duplicative. You do not need @EnableWebSecurity.

Answer 4

For some reason i couldn't get the xml configuration working to validate access tokens remotely. But I was able to setup oauth2 resource server using java config and it fixed the issue. Please find the code below.

@Configuration
@EnableWebSecurity
@EnableResourceServer
public class Oauth2ResesourceServerConfiguration  extends ResourceServerConfigurerAdapter{


    @Override
    public void configure(HttpSecurity http) throws Exception {
         http.authorizeRequests()
                .antMatchers(HttpMethod.GET,"/api/**").access("#oauth2.hasScope('read')");
    }

    @Primary
    @Bean
    public RemoteTokenServices tokenService() {
        RemoteTokenServices tokenService = new RemoteTokenServices();
        tokenService.setCheckTokenEndpointUrl(
                "https://localhost:8443/auth-server/oauth/check_token");
        tokenService.setClientId("client-id");
        tokenService.setClientSecret("client-secret");
        return tokenService;
    }



}