Comments (7)
Hi
Probably would be helpful if you sent error messages but my guess would be your CSRF token errror on POST request is from the client side authentication on client side before you even try to authorize with Oauth authorization server. What happens if you disable csrf() token on your web security configuration on oauth client?
I mean precisely this paragraph
"Also, for the following to work, you will need to setup normal Spring Security and have a login page so that the end user can login with his credential at the oauth2 server so that he can approve the client for accessing the resource on his behalf. For example, as shown in the codes here."
from spring-rest-service-oauth.
Let's say I go to :
http://localhost:8080/oauth/authorize?response_type=code&client_id=clientapp&redirect_url=http://client_host?key=value&scope=read
I get redirected to /login, which is not mapped, so I get this error :
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Jul 16 20:58:33 EDT 2015
There was an unexpected error (type=Not Found, status=404).
Not Found
If I use the POST, the first time I get a 403 error regarding the CSRF:
There was an unexpected error (type=Forbidden, status=403).
Expected CSRF token not found. Has your session expired?
Any other subsequent time, I get this :
There was an unexpected error (type=Forbidden, status=403).
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
from spring-rest-service-oauth.
I'm wondering why the redirection in the first place. I noticed it only happens when a WebSecurity @Configuration
is there (extending the WebSecurityConfigurerAdapter
).
from spring-rest-service-oauth.
Hi
You are redirected to login because it is basically how Oauth works.
In order to be authenticated by Oauth server you have to be authenticated on the client side first in your case. How do you set your web security configuration? Your error has nothing to do with Oauth. You are not reaching Oauth server yet .
Look at Roy's example and curl requests, he posts in his curl
username and password and they are verified by web security and after positive verification you reach desired link on Oauth which is oauth/authorize
I do not see your configuration so it is hard to be just guessing especially that you say you are mixing two approaches but CSRF is not checked by the Oauth server only by the client.
And how do you form your post request? Use curl
, it is the best, I had a problems with a lot of POST app clients.
from spring-rest-service-oauth.
Ok, I think I missed one of the core principles of the exchange. When you are redirected to /oauth/authorize
, as a user, you must be logged because you need to give permission to the client so it can access your data. The only way an authorization code is generated is if the user is logged in and grant permission to the client.
from spring-rest-service-oauth.
Thanks again, sorry for that, the mistake is on my side!
from spring-rest-service-oauth.
@mariubog thanks for all the help replying to questions!
from spring-rest-service-oauth.
Related Issues (20)
- @EnableWebMvcSecurity is deprecared HOT 1
- Adding new users HOT 3
- Question trying this w/ existing project HOT 1
- How to make this project scalable?
- Add a RESTful api to revoke access tokens?
- NullPointerException on /oauth/check_token with valid token
- Trying to use an html page to get OAuth code instead of curl
- How to access spring-rest-service-oauth to client device ? HOT 1
- Facebook/twitter login? HOT 1
- How to force Spring Security OAuth 2 to use JSON instead of XML? HOT 1
- UserRepositoryUserDetails has to implement abstract method getPassword HOT 1
- If Gson mapper is chosen, the oauth token response is empty HOT 2
- Connect This Project To Mysql HOT 3
- Oauth key annotations are not activated in spring MVC application
- Deployed in AWS Elastic Beanstalk
- What is User credentails to get access token HOT 2
- Project is broken on Spring Boot 1.5.4.RELEASE HOT 2
- UserDetailsService is required for two providers HOT 1
- Refresh token request doesn't work, when used with Spring Security OAuth 2.0.14 HOT 1
- 'entityManagerFactory' in your configuration.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-rest-service-oauth.