OAuth2 - Status 401 on OPTIONS request while retrieving TOKEN

Question

Our stack uses Backbone as our client-side app and Spring Boot as a RESTful API.

We're trying to make basic authentication using OAuth2 with user providing username and password.

We use Spring Security for authentication and jQuery $.ajax method for making requests. However the response we get is 401(unauthorized) status on preflight OPTIONS request before we can even POST header with our secret to authorize. However we can POST or GET any other resource without any problems. Server response for OPTIONS request is 200(ok) and then it follows up with POST request.

So why is that an OPTIONS request from /oauth/token responses with 401 status even when it shouldn't? It won't let us authorize ourselves because it get's stuck at OPTIONS request in which we can't add authorization header.

This is how we handle requests on front-end:

                $.ajax({
                url: "http://localhost:8080/oauth/token",
                type: "POST",
                beforeSend: function(xhr) { 
                    xhr.setRequestHeader("Authorization", "Basic Y2xpZW50YXBwOjEyMzQ1Ng==");
                },
                data: {
                    password: "qwerty",
                    username: "jkowalski",
                    grant_type: "password"
                }
            });

This is our OAuth2 config:

@Configuration
public class OAuth2ServerConfiguration {

private static final String RESOURCE_ID = "restservice";

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
        ResourceServerConfigurerAdapter {

    [...]

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();

        http
        .authorizeRequests()
            .anyRequest().permitAll();
    }

}

[...]

@Configuration
@EnableAuthorizationServer
protected static class OAuth2AuthorizationConfig extends
        AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // @formatter:off
        clients
            .inMemory()
                .withClient("clientapp")
                    .authorizedGrantTypes("password", "refresh_token")
                    .authorities("USER","ADMIN")
                    .scopes("read", "write")
                    .resourceIds(RESOURCE_ID)
                    .secret("123456");
        // @formatter:on
    }

[...]
}

Answer 1

I can just answer your questions in theory:

So why is that an OPTIONS request from /oauth/token responses with 401 status even when it shouldn't? It won't let us authorize ourselves because it get's stuck at OPTIONS request in which we can't add authorization header.

This is because the default configuration of the AuthServer is to allow only a fully authenticated request at the token endpoint.

In your Resource server, you allow all requests to happen without authentication with this: http.authorizeRequests().anyRequest().permitAll();

I tried to solve this circumstance like mentioned here, but I couldn't get that working for me.

Just for completeness I also mention here, that you have to add a CorsFilter to add the correct Headers to the OPTIONS preflight request.

I also asked a very similar question, so maybe if mine gets answered, you are capable of solving your problem as well with these informations.