Spring OAuth2 - There is no client authentication. Try adding an appropriate authentication filter

Question

We have an application which is using spring-security-oauth2:1.0. I was trying to change it to a newer version, spring-security-oauth2:2.0.7.RELEASE

Answer 1

The problem can be because of opening all requests. You should remove it.

 @Override
public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers("/**");
}

Answer 2

I had the same problem and my application.yml had this line:

servlet:
    path: /auth

so the token address was: /auth/oauth/token

I remove the path from application.yml so the token path became:

/oauth/token

And everything works fine.

I hope this help

Answer 3

in my case, i found this config:

security.allowFormAuthenticationForClients(); // here

then post this http://localhost:8081/sso/oauth/token?client_id=unity-client&client_secret=unity&grant_type=authorization_code&code=Yk4Sum&redirect_uri=http://localhost:8082/sso-demo/passport/login

its works for me, try it

@Configuration
@EnableAuthorizationServer
public class Oauth2Config extends AuthorizationServerConfigurerAdapter {

    private static final Logger log = LoggerFactory.getLogger(Oauth2Config.class);

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients(); // here 
    }

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception { // @formatter:off
        clients.inMemory()
                .withClient("unity-client")
                .secret("unity")
                .authorizedGrantTypes("authorization_code", "password", "client_credentials", "implicit", "refresh_token")
                .scopes("foo", "read", "write")
                .accessTokenValiditySeconds(3600) // 1 hour
                .refreshTokenValiditySeconds(2592000) // 30 days
        ;
    } // @formatter:on

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    }

}

Answer 4

One of the problems of the following error, can be that authentication was not performed. I have encountered this problem with older implementation of Spring.

verify that:

TokenEndpoint -> postAccessToken method. Check if Principal is not null. If it is null it means that Basic Authroziation was not performed.

One of the solution to add filter was to use:

@Configuration
public class FilterChainInitializer extends AbstractSecurityWebApplicationInitializer {

}

More information about AbstractSecurityWebApplicationInitializer can be found in Spring docs

Answer 5

I don't know the previous version, but I know a bit about 2.0.7.

I suspect your problem is that your TokenEndpoint security tries to authenticate your clients against your user service.

The TokenEndpoint is protected by a BasicAuthenticationFilter. By default this filter would use an AuthenticationManager instance, which itself holds an AuthenticationProvider, which itself depends on an instance of UserDetailsService. The trick is that this particular instance of UserDetailsService must be client based, not user based : that's why there is a ClientDetailsUserDetailsService, which adapts ClientDetailsService to UserDetailsService.

Normally all this stuff is already done by default when you use the framework's configuration classes AuthorizationServerConfigurerAdapter, @EnableAuthorizationServer, etc..