Summary
I'm trying to develop resource server that provides APIs that will be consumed by various applications. I'm using java spring boot oauth2.0 framework. The applications are web applications that are typical OpenID Connect compliant web applications that will go through the /oauth/authorize endpoint using the authorization code flow. When the authorization is granted, the authorization server returns an access token to the application. The application then uses the access token to access a protected resource (like an API).
I followed the sample from below link -
https://github.com/spring-projects/spring-security-oauth2-boot/tree/master/samples/spring-boot-sample-secure-oauth2-resource-jwt
Actual Behavior
Whenever I'm calling the API using POSTMAN while passing AccessToken in the Authorization header, I'm getting invalid_token error. Below is the snippet of the log -
2020-04-10 18:25:41.201 DEBUG 17944 --- [nio-8080-exec-9] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error="invalid_token", error_description="Invalid access token: eyJraWQiOiJSYkdNM1JkMmZRcXUrZzhxRWdiVHF1dFV0RG9hZVVHZXVjTXdlaUY2aGNNPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJlMWEwZjQyZi0xYmE5LTQ2YjEtYjJlMy04YjcxYTM5YzQ4NGEiLCJldmVudF9pZCI6IjRmNDc5Y2I3LWVlODAtNGQxYi05ZGQxLWI5MTRmMDk1NmVlYSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoib3BlbmlkIHRlbmFudC1hcGlcL3JlYWRfdGVuYW50IiwiYXV0aF90aW1lIjoxNTg2NTU5MDg5LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV96NHVEMDBKUXUiLCJleHAiOjE1ODY1NjI2ODksImlhdCI6MTU4NjU1OTA4OSwidmVyc2lvbiI6MiwianRpIjoiMWJhN2Q5NDEtOTZmYi00ZDE2LWE0N2QtMTM4YzdlY2Q1ZjY3IiwiY2xpZW50X2lkIjoicmRsdDFkdmVnNXE2c2VnOWYzcHNwNWk2byIsInVzZXJuYW1lIjoiamRvZSJ9.F2zbCY1p2DmwcW0QGH8WgMN1uKhNR6BXWCVRj5VgRLQGkGVUX7CfBWqzUFW0xuU3vw5uLuPG_ajNykUrh70nO9y9Qyph7ZKJZsZIl8iVAWRBK-V-qvQ5CL2Gn0Dtvz9YHRPT0DwyFqQ27TdkjOGRogflSb43W9xVp320L7D2OM5gBE5t-RAE3DWxjb9Z7pvmsjpznY6ecnVJfOmitJpwUf8_wjoq0AyP8CX34zbQBGsHC_NExOgWEq-iuYol8j-UijUDTkn7HBQD4Cs-XvXSKuCxla2hYlLeXH1WRbOWDd3Yb8c2gTTqtmoKbWJGMir2_uhCmHHGf09Bw7Fbu50Aow" 2020-04-10 18:25:41.202 DEBUG 17944 --- [nio-8080-exec-9] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@62ab3b4e 2020-04-10 18:25:41.204 DEBUG 17944 --- [nio-8080-exec-9] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="invalid_token", error_description="Invalid access token: eyJraWQiOiJSYkdNM1JkMmZRcXUrZzhxRWdiVHF1dFV0RG9hZVVHZXVjTXdlaUY2aGNNPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJlMWEwZjQyZi0xYmE5LTQ2YjEtYjJlMy04YjcxYTM5YzQ4NGEiLCJldmVudF9pZCI6IjRmNDc5Y2I3LWVlODAtNGQxYi05ZGQxLWI5MTRmMDk1NmVlYSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoib3BlbmlkIHRlbmFudC1hcGlcL3JlYWRfdGVuYW50IiwiYXV0aF90aW1lIjoxNTg2NTU5MDg5LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV96NHVEMDBKUXUiLCJleHAiOjE1ODY1NjI2ODksImlhdCI6MTU4NjU1OTA4OSwidmVyc2lvbiI6MiwianRpIjoiMWJhN2Q5NDEtOTZmYi00ZDE2LWE0N2QtMTM4YzdlY2Q1ZjY3IiwiY2xpZW50X2lkIjoicmRsdDFkdmVnNXE2c2VnOWYzcHNwNWk2byIsInVzZXJuYW1lIjoiamRvZSJ9.F2zbCY1p2DmwcW0QGH8WgMN1uKhNR6BXWCVRj5VgRLQGkGVUX7CfBWqzUFW0xuU3vw5uLuPG_ajNykUrh70nO9y9Qyph7ZKJZsZIl8iVAWRBK-V-qvQ5CL2Gn0Dtvz9YHRPT0DwyFqQ27TdkjOGRogflSb43W9xVp320L7D2OM5gBE5t-RAE3DWxjb9Z7pvmsjpznY6ecnVJfOmitJpwUf8_wjoq0AyP8CX34zbQBGsHC_NExOgWEq-iuYol8j-UijUDTkn7HBQD4Cs-XvXSKuCxla2hYlLeXH1WRbOWDd3Yb8c2gTTqtmoKbWJGMir2_uhCmHHGf09Bw7Fbu50Aow"] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@bbb3b9a] 2020-04-10 18:25:41.204 DEBUG 17944 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
Expected Behavior
Upon calling the API by passing AccessToken in the HTTP Header, I expect the API is called successfully. Because the AccessToken itself is valid when I decoded it offline using debugger https://jwt.io/#debugger-io
Configuration
Below are the application properties, I'm using in the resource server
spring.security.oauth2.resourceserver.jwt.jws-algorithm=RS256
spring.security.oauth2.resourceserver.jwt.issuer-uri=
Version
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.6.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-jwt</artifactId>
<version>1.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.8.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web-services</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
Sample
From APIs standpoint these are REST APIs that are exposed using @RestController annotation like below -
@RestController
@RequestMapping("/myapi")
The main class is as follows -
SpringBootApplication
@EnableResourceServer
public class myApplication {
public static void main(String[] args) {
SpringApplication.run(myApplication .class, args);
}
}
and the class that extends ResourceServerConfigurerAdapter
@Configuration
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter
{
private static final String RESOURCE_ID = "resource-server-rest-api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/myapi/**").authenticated();
}
}
Comment From: rwinch
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.
Comment From: pamujs
Thank you for your respone. Agree this might be better suited for Stack overflow. Thinking that I did open the issue there also https://stackoverflow.com/questions/61149407/how-to-develop-resource-server-in-oauth2-0-using-java-spring-boot-framework
Since spring framework supports OAuth2.0, I thought the samples should cover the basic things like developing Resource Server. I was actually referring to https://github.com/spring-projects/spring-security-oauth2-boot/tree/master/samples/spring-boot-sample-secure-oauth2-resource-jwt But, this doesn't seem to work.