spring-security-oauth2

Im trying to split the resource server from the authorization server in spring-boot. I have two different applications that i'm running separately. In the authorization server i can get the bearer token from oauth/token but when i'm trying to get access to the resource(sending the token in header) i'm getting an invalid token error. My intention is to use the InMemoryTokenStore and the bearer token. Can anyone tell me what is wrong in my code? Authorization Server: @SpringBootApplication public class AuthorizationServer extends WebMvcConfigurerAdapter { public static void main(String[] args) {

I have implemented JWT and LDAP Authentication using Spring Security Oauth2. It seems to be working fine and I can login with my LDAP credentials. Now, there is one requirement that I need to use the currently logged in user info to save details in database - specifically like when that user add/update a new record. I tried to get that using Spring security way using SecurityContextHolder.getContext().getAuthentication().getDetails() but it doesn't return all that information which I have in JWT. It just returns Remote IP,the JWT token value and authenticated true. It doesn't even return name(

I have Spring OAuth Authorization server and I want to add support for more then one client(id). I configured clients like this: clients .inMemory().withClient(client).secret(clientSecret) .resourceIds(resourceId) .authorizedGrantTypes("client_credentials", "password", "refresh_token", "implicit", "authorization_code") .authorities("ROLE_USER") .scopes("read", "write") .autoApprove(true) .and() .inMemory().withClient("acme").secret("acmesecret") .resourceIds(resourceId) .authorizedGrantTypes("client_credentials", "password", "refresh_token", "implicit", "authorization_code") .authorities("ROLE

I have a separate ResourceServer built using Spring-Security-oauth2. Here is the code RemoteTokenService. @Bean public ResourceServerTokenServices tokenService() { RemoteTokenServices tokenServices = new RemoteTokenServices(); tokenServices.setClientId("sample_test_client_app"); tokenServices.setClientSecret("secret"); tokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token"); return tokenServices; } When I'm accessing the resource server with AccessToken I get the following: FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /oauth/check_token;

I am trying to find a way to revoke Oauth2 JWT Refresh Token with vanilla Spring implementation and JwtTokenStore. First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token? I wanted to add a custom API that would delete the refresh token along the folowing lines: OAuth2RefreshToken oauth2RefreshToken=tokenStore.readRefreshToken(refreshToken); tokenStore.removeRefreshToken(oauth2RefreshToken); Now, looking at the JwtTokenStore, I noticed that it uses an ApprovalStore. So I went ahead and provided an InMemoryApprovalStore to my

I made my own implementation of ClientDetailsService: @Service public class JpaClientDetailsService implements ClientDetailsService { @Autowired private ClientRepository clientRepositoy; @Override public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException { ClientDetails client = clientRepositoy.findOne(clientId); if (client == null) { throw new ClientRegistrationException(String.format("Client with id %s not found", clientId)); } return client; } } ClientRepository is a standard JpaRepository. I configured an AuthorizationServerConfigurerAdapter like this:

I'm trying to setup a resource server to work with separate authorization server using spring security oauth. I'm using RemoteTokenServices which requires /check_token endpoint. I could see that /oauth/check_token endpoint is enabled by default when @EnableAuthorizationServer is used. However the endpoint is not accessible by default. Should the following entry be added manually to whitelist this endpoint? http.authorizeRequests().antMatchers("/oauth/check_token").permitAll(); This will make this endpoint accessible to all, is this the desired behavior? Or am I missing something. Thanks in

I have the in memory thing working as follows: @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("clientapp") .authorizedGrantTypes("password", "refresh_token") .authorities("USER") .scopes("read", "write") .resourceIds(RESOURCE_ID) .secret("123456"); } I would like to use the JDBC implementation. For this, I have created the following tables (using MySQL): -- Tables for OAuth token store CREATE TABLE oauth_client_details ( client_id VARCHAR(255) PRIMARY KEY, resource_ids VARCHAR(255), client_secret VARCHAR(255), scope

I'm attempting to implement an API with resources that are protected by either Oauth2 OR Http-Basic authentication. When I load the WebSecurityConfigurerAdapter which applies http-basic authentication to the resource first, Oauth2 token authentication is not accepted. And vice-versa. Example configurations: This applies http-basic authentication to all /user/** resources @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private LoginApi loginApi; @Autowired public void setLoginApi(LoginApi loginApi) { this.loginApi = loginApi; }

I'm trying to configure an authorization server with spring-security-oauth2 and jwt. My main : @SpringBootApplication @EnableResourceServer public class Application { public static void main(String[] args) { SpringApplication.run(Application.class, args); } } My Security config : @Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity