Question about spring-rest-service-oauth HOT 7 CLOSED

Hi
Probably would be helpful if you sent error messages but my guess would be your CSRF token errror on POST request is from the client side authentication on client side before you even try to authorize with Oauth authorization server. What happens if you disable csrf() token on your web security configuration on oauth client?
I mean precisely this paragraph
"Also, for the following to work, you will need to setup normal Spring Security and have a login page so that the end user can login with his credential at the oauth2 server so that he can approve the client for accessing the resource on his behalf. For example, as shown in the codes here."

from spring-rest-service-oauth.

Let's say I go to :
http://localhost:8080/oauth/authorize?response_type=code&client_id=clientapp&redirect_url=http://client_host?key=value&scope=read

I get redirected to /login, which is not mapped, so I get this error :

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Jul 16 20:58:33 EDT 2015
There was an unexpected error (type=Not Found, status=404).
Not Found

If I use the POST, the first time I get a 403 error regarding the CSRF:

There was an unexpected error (type=Forbidden, status=403).
Expected CSRF token not found. Has your session expired?

Any other subsequent time, I get this :

There was an unexpected error (type=Forbidden, status=403).
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.

from spring-rest-service-oauth.

I'm wondering why the redirection in the first place. I noticed it only happens when a WebSecurity @Configuration is there (extending the WebSecurityConfigurerAdapter).

from spring-rest-service-oauth.

Hi
You are redirected to login because it is basically how Oauth works.
In order to be authenticated by Oauth server you have to be authenticated on the client side first in your case. How do you set your web security configuration? Your error has nothing to do with Oauth. You are not reaching Oauth server yet .
Look at Roy's example and curl requests, he posts in his curl username and password and they are verified by web security and after positive verification you reach desired link on Oauth which is oauth/authorize
I do not see your configuration so it is hard to be just guessing especially that you say you are mixing two approaches but CSRF is not checked by the Oauth server only by the client.
And how do you form your post request? Use curl, it is the best, I had a problems with a lot of POST app clients.

from spring-rest-service-oauth.

Ok, I think I missed one of the core principles of the exchange. When you are redirected to /oauth/authorize, as a user, you must be logged because you need to give permission to the client so it can access your data. The only way an authorization code is generated is if the user is logged in and grant permission to the client.

from spring-rest-service-oauth.

Thanks again, sorry for that, the mistake is on my side!

from spring-rest-service-oauth.

@mariubog thanks for all the help replying to questions!

from spring-rest-service-oauth.