I have implemented Spring Security Oauth in my project.
I have 2 different modules in my project :
Module A
Module B
I have implemented my Oauth configurations in Module A using the XML definitions. This is working successfully and I am able to generate access token and refresh token successfully when hitting the url : /oauth/token
Now module B is having dependency (defined in pom.xml) on module A. When I am trying to hit /oauth/token from module B : its giving me following exception :
InsufficientAuthenticationException:
There is no client authentication. Try adding an appropriate authentication filter.
This occurs in TokenEndpoint in line 74 when following condition is true :
!(principal instanceof Authentication)
Can someone guide me what can be the issue and how could I resolve this issue?
Thanks,
Jubin
Related
I have a SpringBoot application with one Endpoint. It uses dependency to the library where custom Authentication Provider is implemented. I need to configure my application ( via application.yml properties ) to use an Authentication Provider.
When I am making an endpoint call I can see these output in Console :
c.b.c.f.c.s.WhiteListAuthFilter : Checking secure context token: null
c.b.c.f.c.s.WhiteListAuthFilter : Trusted IPs [null]
c.b.c.f.c.s.WhiteListAuthFilter : Attempting white list authentication 127.0.0.1
c.b.c.f.c.s.WhiteListAuthFilter : No pre-authenticated principal found in request
How can I do that?
I don't want to repeat previous other threads. I just don't see this being tracked anywhere although it is a known issue. If it is tracked, please point me in the right direction.
Currently spring-authorization-server works with Spring Boot 2.5.x. It is known that there is an inconsistency with the spring-boot-starter-oauth2-client implementation and the Jwt tokens and that of spring-authorization-server.
This means you can successfully run spring-authorization-server with Spring Boot 2.6.x BUT you cannot add the dependency spring-boot-starter-oauth2-client.
And that's where I'm stuck. I wanted to implement a federated security example using the federated sample located in the codebase here: https://github.com/spring-projects/spring-authorization-server/tree/main/samples/federated-identity-authorizationserver
2022-04-25 14:14:34.067 ERROR 54601 --- [ XNIO-1 task-2] io.undertow.request : UT005023: Exception handling request to /oauth2/token
java.lang.IllegalAccessError: failed to access class org.springframework.security.oauth2.jwt.JoseHeader from class org.springframework.security.oauth2.server.authorization.token.JwtGenerator (org.springframework.security.oauth2.jwt.JoseHeader and org.springframework.security.oauth2.server.authorization.token.JwtGenerator are in unnamed module of loader 'app')
at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:130) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:59) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
at org.springframework.security.oauth2.server.authorization.token.DelegatingOAuth2TokenGenerator.generate(DelegatingOAuth2TokenGenerator.java:60) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
at org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider.authenticate(OAuth2AuthorizationCodeAuthenticationProvider.java:212) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
What's the status of this inconsistency?
As a workaround, you can move the security-oauth2-authorization-server dependency
before any other spring-boot dependencies declaration inside the pom, that will force classloader to load the org.springframework.security.oauth2.jwt.JoseHeader from security-oauth2-authorization-server.
Please read https://github.com/spring-projects/spring-authorization-server/issues/518#issuecomment-1017332290
Spring Authorization Server v0.3.0 has been released and there is no longer a discrepancy between SAS and Spring Security OAuth.
π¦ΈββοΈ
I am upgrading my jhipster application to the latest jhipster version which is 7.6.0.
Jhipster 7.6.0 introduces latest version of spring boot (2.6.3) and spring framework (5.3.15)
For security configuration class, I am still using the annotations from spring web mvc and I am not using spring web reactive. At this point, I dont want to switch to web reactive.
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
#Import(SecurityProblemSupport.class)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { }
After compiling, building and starting my application, If I hit the login url, then I get below error on the screen
Login with OAuth 2.0
[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: 403 Forbidden: [no body]
Browser's DevTools console shows that OAuth/authorization end point is returning with 200 http status with no values for session id and token, whereas ideally the end point should return with http status 302 along with session id and token.
I suspect, its related to the changes introduced by the version upgrade, because If I switch back to the older branch of the source code (having older version of jhipster like 6.4.1 and spring) , then the login works just fine.
Can anyone suggest what could be the possible reason behind this issue?
I believe that the 'authorize' end point returning 200 response with missing session id and token is surely one of the reasons.
Please guide me on this.
Thanks.
Thanks for the details. I have found the root cause. For the latest version of spring security, oidc: scope needs to be mentioned explicitly. something like this - scope: openid,profile,email. Adding this scope in application yml fixed the issue. β
Sorry folks, this may be a newb question. I'm a little lost.
My Spring-boot environment provides me with keycloak for client authorization, it gives me these.
spring.security.oauth2.resourceserver.jwt.issuer-uri
spring.security.oauth2.client.provider.keycloak.issuer-uri
spring.security.oauth2.client.registration.keycloak.* # client-id, secret, provider, grant-type
I noticed on the ClientRegistration that .issuerUri(String uri) is not avaialbe until Spring-Security v5.4.x. I am using 5.3.5, although I could bump up. I am confused what the difference is. As I would expect, I get an error when I do .tokenUri(issuerUri). I believe they are different modes/API, but I am at a loss as to what I should set in the 5.3.5 API.
Caused by: org.springframework.security.oauth2.client.ClientAuthorizationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 405 Method Not Allowed: [{"error":"RESTEASY003650: No resource method found for POST, return 405 with Allow header"}]
So as a newb, I don't get why I have 4 choices of URI and what they do. Google and javadoc haven't been much help, so I figure I just don't know the right place to look to learn it. The only way I know how to fix this is to manual make my own HTTP call to the URI and get my Authentication token, but that would defeat the purpose of the Oauth2 library.
tokenUri represents the URI for the token endpoint. For example:
https://authz.example.org/auth/realms/myrealms/protocol/openid-connect/token
Whereas issuerUri is the URI that identifies the Authorization Server:
https://authz.example.org/auth
It's quite common for the issuer URI to be the root for more specific URIs like the token URI.
Regarding your specific error, I'd imagine that Keycloak is stating that you cannot POST to https://authz.example.org/auth, which is true. You should be POSTing to the token endpoint.
The issuer-uri Spring Boot property should cause Spring Security to look up the other endpoints and add them to a default ClientRegistration. Because of that, I'm not sure why you are also trying to programmatically configure ClientRegistration. That said, if you do need to programmatically create a ClientRegistration, you can use the issuer URI like so, and Spring Security will do the rest:
#Bean
ClientRegistrationRepository registrations() {
ClientRegistration registration = ClientRegistrations
.forIssuerLocation("https://authz.example.org/auth")
.build();
return new InMemoryClientRegistrationRepository(registration);
}
I'm setting the security system on my project (Grails - Angularjs) with Spring Security Rest Plugin v1.5.4 (using spring security core 2.0.0) for Grails 2.4.4. Doc about this plugin can be found here.
I'm testing the login and logout with postman chrome rest client and I'm able to do a login OK, but I'm getting a 404 when I do logout.
In the documentation clearly says:
The logout filter exposes an endpoint for deleting tokens. It will
read the token from an HTTP header. If found, will delete it from the
storage, sending a 200 response. Otherwise, it will send a 404
response
You can configure it in Config.groovy using this properties:
Config key...................................................................................Default
value
grails.plugin.springsecurity.rest.logout.endpointUrl....................../api/logout
grails.plugin.springsecurity.rest.token.validation.headerName....X-Auth-Token
So, after doing a login successfully, I tried to do a logout to that url (my_host_url/api/logout) with a GET method and sending a header X-Auth-Token with the token I got previously from login.
But I keep getting a 404. See image below
Edit: I'm setting the chain map like this (in order to get a stateless behavior):
grails.plugin.springsecurity.filterChain.chainMap = [
'/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter', // Stateless chain
'/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter' // Traditional chain
]
So. What am I doing wrong here, or what am I missing?
Thanks in advance!
You missed another excerpt from the docs. It's a warning message literally before the chunk you quoted, and says:
Logout is not possible when using JWT tokens (the default strategy), as no state is kept in the server.
If you still want to have logout, you can provide your own implementation by creating a subclass of JwtTokenStorageService and overriding the methods storeToken and removeToken. Then, register your implementation in resources.groovy as tokenStorageService.