Comments (12)
That code comes from the UserInfoTokenServices
which isn't used if you go to the /check_token endpoint instead. Is that what you were missing?
from spring-cloud-security.
Maybe some missunderstanding on my side about the token flow. I have a bearer token and my resource server is trying to authenticate a user based on this token. If i manually present the token to my auth server's check_token
endpoint i get a json hash as expected. I thought that the tokenInfoUri
that spring-cloud security is using is this endpoint - but that seems to be wrong.
from spring-cloud-security.
It does use /check_token if you configure a URI for it. Otherwise it will try and use a "userInfoUri" and that's where the code you posted comes from. Docs here: http://projects.spring.io/spring-cloud/spring-cloud.html#_single_sign_on. If they aren't clear enough maybe we can pinpoint the problem here and make a change?
from spring-cloud-security.
That are the docs i've used and that's the endpoint i've configured. At the moment i'm not sure if it's a problem with /check_token
at all. I have two endpoint apps. One using a hand configured oauth setup (based on the sparklr/tonr samples) that works and one using spring-cloud security's resource server config. The later seems to have problems letting OPTIONS
requests in. They are not send with a bearer token and work on the former app but not on the later, so the check_token
code is not reached. I'll come back on this if i have deeper insight.
from spring-cloud-security.
None of the code in Spring Cloud is sending OPTIONS. I assume you have a browser client? Maybe if you could be a bit more precise about the actual problem you are having (as opposed to guessing the solution) we could get to the bottom of it.
from spring-cloud-security.
My bad.
I have some ember.js based clients using torii on the ember side to authenticate against a spring-security-oauth based authentication server getting bearer tokens in response. My current setup on the resource server side (that is a different app detached from the auth server) is based on the sparkl sample and simply works.
We are now evaluating migration to microservices based on spring cloud. For that i have build a new auth server exposing a check_token
endpoint so i can authorize requests to my edge services. The check token endpoint is accessible and if i curl it with a valid bearer token auth header and a matching token param i get my user info back.
In the current (working) setup, the browser sends an (unauthorized) OPTIONS
request, gets a response and then sends a bearer authorized request.
My belief was that i could simply take my resource servers code, wrap it in an appropriate spring-cloud/spring-boot AppBootstrapper annotated with @EnableOAuth2Resource
, add some config so the resource server verifies the token against the check_token
endpoint and i'm done.
The problem is that i don't get that far. My browser client sends an unauthorized OPTIONS
request and gets stuck. Obviously something is different between manually configuring oauth2-security and the @EnableOAuth2Resource
way, but i have no clue what that could be.
from spring-cloud-security.
Spring (Cloud nor Security) will not handle OPTIONS requests for you so you must be doing that successfully in the server that works. It probably means you have a filter but in the wrong position in the chain or something?
from spring-cloud-security.
Oh my god, i'm so stupid.
After placing the filter in the right position in the filter chain my requests are now reaching the resource server. Many thanks for that.
But...
Spring-cloud security is now sending a request to the check_token
endpoint, but there still seems to be a point i'm missing. As far as i can see, the sended request contains a valid auth header with a bearer token and the configured uri, but the default check_token
endpoint expects a token
parameter additional to the token header. How do i configure the check_token url in the resource server so that the parameter gets send?
from spring-cloud-security.
For now, i've dropped @EnableOAuth2Resource
and reverted to manually configuring oauth2 using our cassandra based token store. Maybe the preferable solution regarding performance.
But i'm still curious how to use the check_token endpoint with cloud-security...
from spring-cloud-security.
@DirkLachowski Did you find out a way to get around the required token parameter when check_token end point is used? It's still the case in spring boot 1.3.2.RELEASE. Isn't the value the same as the token in the header?
from spring-cloud-security.
Generally speaking a check_token endpoint requires basic auth as a client (not token authentication) and you always have to send it a token as a parameter (in the request body). If it is configured correctly your client app should have a RemoteTokenServices
which will require a client id and secret to operate correctly. N.B. the autoconfiguration for this feature has moved to Spring Boot, so if you have a crisp description of an actual issue (preferably with a sample app), please post again there.
from spring-cloud-security.
Thanks for the clarification, Dave! After configuring the remote token services, I'm able to use the check_token end point from the resource server now. I tried to use the same end point as the userInfoUri in an OAuth2 client with OAuth2 SSO enabled, see the sample app at https://github.com/ychen00/oauth2-client, I got bad request 400 because it's looking for the token parameter. Is it a good practice to use the end point in the client for this purpose? It seems natural to me although one can implement another rest end point to do the same thing. What I did after this was to override the default userInfoTokenServices in the client with the following code:
@bean
public ResourceServerTokenServices userInfoTokenServices() {
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setClientId(clientId);
tokenServices.setClientSecret(clientSecret);
tokenServices.setCheckTokenEndpointUrl(userInfoUri);
return tokenServices;
}
and it worked.
from spring-cloud-security.
Related Issues (20)
- feign has conflict with @EnableWebFluxSecurity HOT 2
- config property "security.resource.jwt.key-uri" caused UnknownHostException HOT 2
- Do you have oauth2 migration demo? HOT 3
- Spelling error in documentation
- Spring Cloud Gateway java based RouteLocator not working with Spring Cloud Security HOT 4
- Move feign and gateway code to respective projects
- Deprecate spring-cloud-starter-oauth2 and spring-cloud-starter-security HOT 2
- Can't find OAuth2RestTemplate when relay OAuth2 JWT token between resource servers. HOT 4
- TokenRelayAutoConfiguration can't find ServerOAuth2AuthorizedClientRepository HOT 1
- Use ClientId and ClientSecret for token refresh HOT 3
- TokenRelayGatewayFilterFactory is a deprecated class only in spring-cloud-security.2.2.2.RELEASE HOT 1
- If oauth2 token issued at time and system time difference is more than 60secs, necessary logs are not captured. HOT 3
- @AuthorizationServer And @Configuration HOT 4
- What project to migrate to? HOT 3
- a bean of type 'org.springframework.cloud.commons.security.AccessTokenContextRelay' that could not be found. HOT 8
- a bean of type 'org.springframework.cloud.commons.security.AccessTokenContextRelay' that could not be found. HOT 2
- Do you have oauth2 migration demo?
- Had a Error when update springboot and Springcloud from Hoxton to 2020.0.4 HOT 2
- Hibernate issue when upgrading Spring Boot from 2.5.6 to 2.6.1
- 自定义Access配置 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-cloud-security.