spring-security-oauth2

I am trying to create a spring resource server secured with oauth2. I am using auth0 for my auth2 service, and I have an api and client configured with scopes. I have a resource server that mostly works. It is secured, and I can use @EnableGlobalMethodSecurity and @PreAuthorize("#oauth2.hasScope('profile:read')") to limit access to tokens with that scope. However, when I try to get the Principal or the OAuth2Authentication they are both null. I've configured the resource server to use the JWK key-set-uri. I suspect that this has to do with the DefaultUserAuthenticationConverter trying to read

I'm currently working on a simple Spring Boot application where I pass client_id and secret to get the access token which gets me a refresh and access token. But then when I try to access resources(my REST API) using that token (with this URL: curl -H "Authorization: Bearer ead8ba5d-88ad-4531-a821-db08bf25e888" localhost:8081/my-end-point ), it doesn't work for me and gives me following error- {"error":"invalid_token","error_description":"Invalid access token: ead8ba5d-4531-db08bf2fe888"} This is how my endpoint looks like- import org.springframework.web.bind.annotation.RequestMapping; import

I have some rest api like this: /users/{user_id} /users/{user_id}/orders /users/{user_id}/orders/{order_id} How I must secure them? every user must see only her/his data, But admin can see all of them. How & What I must implement in Spring Security that User by Id == 1 can't see data of user by Id == 2 and vice versa, expect users by role admin that can see all? Do I check before every method User Id in session is equail with user_id param passed to api? is there a better way? p.s: I use JWT by spring security. In a @Controller , @RestController annotated bean you can use Principal directly as

I'm working on integrating Spring Security OAuth2 with JWT tokens into a Spring Boot project. My authentication server is configured similar to what is found in this sample project . When the OAuth2 client performs the POST on /oauth/token it is unable to create the access token. The specific error logged is: o.s.s.o.provider.endpoint.TokenEndpoint : Handling error: NoSuchBeanDefinitionException, No qualifying bean of type [org.springframework.transaction.PlatformTransactionManager] is defined I've debugged it down to AbstractTokenGranter line 70 at the call to tokenServices.createAccessToken

Am trying to use Spring Secruity's OAuth API to obtain an access token from an externally published API within a Spring MVC 4 based Web Services (not Spring Boot). This curl command works (and its contents are all that I need to obtain an access token): curl -X POST \ https://api.app.com/v1/oauth/token \ -H 'content-type: application/x-www-form-urlencoded' \ -d'grant_type=client_credentials&client_id=bcfrtew123&client_secret=Y67493012' Spring Security OAuth API: <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>2.1.1

Referring to the logout flow in oauth2 spring-guides project, once the the user has authenticated using user/password for the first time, the credentials are not asked next time after logout. How can I ensure that username/password are asked every time after a logout. This is what I am trying to implement:- OAuth2 server issuing JWT token using "authorization_code" grant type with auto approval. This has html/angularjs form to collect username/password. UI/Webfront - Uses @EnableSSO. ALL its endpoints are authenticated i.e it does not have any unauthorized landing page/ui/link that user clicks

I've created Spring MVC application and set up Spring Security OAuth 2. While calling methods from my brower i get XML: <oauth> <error_description> Full authentication is required to access this resource </error_description> <error>unauthorized</error> </oauth> Browser sends following header: Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 When I set json accept header I get JSON. I need to force my authorization server always send JSON. Haven't found any solution. Thanks. For Spring Security OAuth exceptions are rendered using the