I have an access token with the necessary scope. I also successful access the resource server. The error occur when the resource server try to fetch the user Principal from the Authorization server. I really hope i can get some hints or help about how i can solve this
The access Token:
{"access_token":"65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9","token_type":"bearer","refresh_token":"f1e2a49d-5b24-4e9c-b9da-567eb47d6ab7","expires_in":149,"scope":"read write trust"}
The resource server call:
curl -H "Authorization:Bearer 65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9" http://localhost:9001/resource/hello
Resource server output after the call:
2016-10-10 10:10:06.144 INFO 411 --- [nio-9001-exec-5] o.s.b.a.s.o.r.UserInfoTokenServices : Getting user info from: http://localhost:9000/auth/user
The endpoint (localhost:9000/auth/user) get executed but i always get the following response to my curl request:
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"read"}
I resolved this by removing the user info uri from the resource server properties. Since I use a jdbc token store, the resource server can verify the authenticity of the token from the database and not relying on the auth server anymore.
Related
Im building a webMVC app with Azure as Identity Provider and Im getting the following error:
[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: I/O error on GET request for "https://graph.microsoft.com/oidc/userinfo": graph.microsoft.com
[nio-8080-exec-3] o.s.web.client.RestTemplate : HTTP GET https://graph.microsoft.com/oidc/userinfo
[nio-8080-exec-3] o.s.web.client.RestTemplate : Accept=[application/json, application/*+json]
[nio-8080-exec-3] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
[nio-8080-exec-3] o.s.s.web.DefaultRedirectStrategy : Redirecting to /login?error
Am I missing something?
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/XXXX/v2.0
spring.security.oauth2.client.registration.myapp.client-name=XXXX
spring.security.oauth2.client.registration.myapp.client-id=XXXX
spring.security.oauth2.client.registration.myapp.client-secret=XXXX
spring.security.oauth2.client.registration.myapp.provider=azure
spring.security.oauth2.client.registration.myapp.redirect-uri=http://localhost:8080/login/oauth2/code/
spring.security.oauth2.client.registration.myapp.scope=openid, profile, User.Read
spring.security.oauth2.client.registration.myapp.authorization-grant-type=authorization_code
I tried to reproduce the same in my environment via Postman and got below results:
I created one Azure AD application and granted permissions like below:
To get code, I used below authorization request:
https://login.microsoftonline.com/tenantID/oauth2/v2.0/authorize?
client_id=client_id
&response_type=code
&redirect_uri=redirect_uri
&response_mode=query
&scope=openid profile user.read
&state=12345
When I ran the above request in browser, I got consent screen like below:
After accepting the above consent, I got the code in address bar like below:
To generate access token, I used below parameters and got token like this:
POST https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:client_id
client_secret:client_secret
scope:openid profile user.read
code:code
redirect_uri: redirect_uri
When I used the above token to get user info data, I got the response successfully like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:
In your scenario, make sure to include below parameters in your code like below:
spring.security.oauth2.client.registration.azure.client-id: xxx
spring.security.oauth2.client.registration.azure.client-secret: xxx
spring.security.oauth2.client.registration.azure.client-name: App Name
spring.security.oauth2.client.registration.azure.client-authentication-method: basic
spring.security.oauth2.client.registration.azure.provider: azure
spring.security.oauth2.client.registration.azure.scope: openid profile user.read
spring.security.oauth2.client.registration.azure.redirect-uri: http://localhost:8080/login/oauth2/code/azure
spring.security.oauth2.client.registration.azure.authorization-grant-type: authorization_code
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/<tenant id>/v2.0
spring.security.oauth2.client.provider.azure.authorization-uri: https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize
spring.security.oauth2.client.provider.azure.user-info-uri: https://graph.microsoft.com/oidc/userinfo
spring.security.oauth2.client.provider.azure.token-uri: https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
spring.security.oauth2.client.provider.azure.jwk-set-uri: https://login.microsoftonline.com/<tenant id>/v2.0/keys
spring.security.oauth2.client.provider.azure.user-name-attribute: name
To know more in detail, please refer below link:
Spring security using OAuth2 with Microsoft - AzureAD
for some reason the proxy server configured on my machine was not able to solve the dns graph.microsoft.com and I was getting the message "invalid_user_info_response". In order to fix it you need to make sure that your machine is able to reach graph.microsoft.com
I am new using AWS Cognito. I have a springboot application where I am using aws cognito as our authentication provider.
I have configured cognito and login works perfectly that return access token and id token. However when I am trying to validate that access token via cognito I am getting 400 IOException.
Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: https://cognito-idp.{region}.amazonaws.com/{poolid}/.well-known/jwks.json
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1997)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305)
at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257)
at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:305)
I think that in your URL you still have the template variables from the example you copied from (e.g. {region} and {poolid}. Those tokens need to be replaced with actual values from your cognito settings so the ultimate URL is, for example:
https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx/.well-known/jwks.json
The IOException is likely caused by the invalid URL.
I am building a spring-boot application which uses google/facebook oauth2 authentication. The application configurations set are as follows:
#Google
spring.security.oauth2.client.registration.google.clientId=<googleClientId>
spring.security.oauth2.client.registration.google.clientSecret=<googleClientSecret>
spring.security.oauth2.client.registration.google.redirectUri={baseUrl}/oauth2/callback/{registrationId}
spring.security.oauth2.client.registration.google.scope=email,profile
#Facebook
spring.security.oauth2.client.registration.facebook.clientId=<fbClientId>
spring.security.oauth2.client.registration.facebook.clientSecret=<fbClientSecret>
spring.security.oauth2.client.registration.facebook.redirectUri={baseUrl}/oauth2/callback/{registrationId}
spring.security.oauth2.client.registration.facebook.scope=email,public_profile
spring.security.oauth2.client.provider.facebook.authorizationUri=https://www.facebook.com/v13.0/dialog/oauth
spring.security.oauth2.client.provider.facebook.tokenUri=https://graph.facebook.com/v13.0/oauth/access_token
spring.security.oauth2.client.provider.facebook.userInfoUri=https://graph.facebook.com/v13.0/me?fields=id,first_name,middle_name,last_name,name,email,verified,is_verified,picture.width(250).height(250)
For google, this is working well - the application has an authorization rest controller which redirects to the google auth end point. After logging in, I can see a code is returned and sent to a redirect URI {baseUrl}/ouath2/callback/google, which is exchanged for a token which is in turn parsed and used to construct a universal application-level Oauth2 bearer token (for use in my shared APIs etc).
For facebook, I am attempting a similar setup. The initial redirect works, and user is directed to a facebook login page with equivalent client_id / redirect uri parameters set:
https://www.facebook.com/v3.0/dialog/oauth
?response_type=code
&client_id=<fbClientId>
&scope=email+public_profile
&state=<state>
&redirect_uri=https%3A%2F%2F192.168.50.150.nip.io%3A8300%2Foauth2%2Fcallback%2Ffacebook
&ret=login
&fbapp_pres=0
&logger_id=e1036c5a-ac6e-448c-ab8g-655727eae993
&tp=unspecified
&cbt=1643459835928
&ext=1645463198
&hash=AeJog6HeUz9jlsDRQQo
However, when the code is obtained after login and sent to the redirect uri {baseUrl}/ouath2/callback/facebook, there is an error returned when my application attempts to access the FB User Info resource server:
I don't have any traffic capture from my backend to the FB User Info URI, so I can't see exactly what's being sent, but the response I get back is a server error:
[invalid_user_info_response] An error occurred while attempting to
retrieve the UserInfo Resource: Error details: [UserInfo Uri:
https://graph.facebook.com/v3.0/me?fields=id,first_name,middle_name,last_name,name,email,verified,is_verified,picture.width(250).height(250),
Error Code: server_error]
Are there any known issues with the graph.facebook.com end points?
I am trying to integrate a Shibboleth IDPV3.4.1 with my SP which is a server called as ClearPass. I am using the Linux platform of the Shibboleth IDP. I configured the relyingparty.xml, attribute-filter.xml, attribute-resolver.xml,ldap.properties, and also the and uploaded the metadata to the /metadata/sp-metadata.xml also updating the metadata-providers.
I am trying to use the password authentication flow with LDAP, however the issue is that I never get the login page when I initiate the SAML transaction from my SP. I get an error saying "Web Login Service -Stale Request". I have attached the screenshot of the error
Stale Request
I attempt to do a resolver test using the
http://shib.nslab.com:8080/idp/profile/admin/resolvertest?requester=https://chandracppm.nslab.com/networkservices/saml2/sp&principal=chandu
requester "https://chandracppm.nslab.com/networkservices/saml2/sp"
principal "chandu"
attributes
0
name "sAMAccountName"
values
0 "chandu"
and I get the attributes from AD in return, which shows the connection to AD is working.
However the authentication page does not appear from the IDP when I try to access the resource in my SP, I only get the Stale request Error.
The error that I see in the logs/idp-process.log is as follows
2018-12-10 19:26:08,222 - 10.23.20.81 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: Shibboleth Authentication Request message did not contain the providerId query parameter.
at net.shibboleth.idp.saml.profile.impl.BaseIdPInitiatedSSORequestMessageDecoder.getEntityId(BaseIdPInitiatedSSORequestMessageDecoder.java:128)
2018-12-10 19:26:08,223 - 10.23.20.81 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode
2018-12-10 19:26:08,224 - 10.23.20.81 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:143] - No SAMLBindingContext or binding URI available, error must be handled locally
I am new to setting up Shibboleth IDP, not sure what I am missing.
Any inputs would be appreciated
Shibboleth fails to decode the message. This behavior is to be seen if the AuthnReq is being sent to POST endpoint instead of Redirect or vice versa or if any of both endpoints are not configured properly. On UI, the error you will notice for this is "StaleRequest". I got a similar error in idp-process.log file "org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP GET method". The issue is pertaining to incorrect or misconfigured endpoints.
I was able to get this working by installing an IDP docker image from here
https://docs.google.com/document/d/1qb5XTde1nulCdA_8QUei48CxDj0lQs7ShD622Ze_4II/edit
The authentication flow is working now
I've downloaded the code from Spring's Get Started Guide - Accessing Twitter Data the https://spring.io/guides/gs/accessing-twitter/ .
I set up my credentials in application.properties and made no other changes. I run the app, and when it attempts to connect to Twitter, it fails with an exception on ConnectController line 240:
ResourceAccessException:
org.springframework.web.client.ResourceAccessException: I/O error on
POST request for "https://api.twitter.com/oauth/request_token":cannot
retry due to server authentication, in streaming mode; nested
exception is java.net.HttpRetryException: cannot retry due to server
authentication, in streaming mode
I have checked that the credentials are being read by the app. They are valid - I use them to connect with another application I've written with twitter4j, although in that case I use a Token and Token Secret in addition to the Consumer Key and Consumer Secret.
Any ideas?
Thanks
I had exactly the same issue as you : it happened because I did not set my callback URL in the twitter setting.
Just check in your twitter app settings that the callback field is set (I used the same URL as the website field).