search

Baeldung / spring-security-oauth

Getting Started withg Spring Security OAuth:
http://bit.ly/github-lsso
MIT License
1.99k stars 1.95k forks source link

OAuth Legacy Example - grant_type 'password' and 'client_credentials' not work for fetching the resource #187

Closed d3minem closed 4 years ago

d3minem commented 4 years ago

Issue 71 - Note sure, if it's the same issue but I'm having the problem with both password and client_credentials grant types.

Authorisation Server - Legacy

I'm using postman, and according to above grant types flow - I made the request for access token using oauth/token . Please see the burl below:

curl --location --request POST 'http://localhost:9081/spring-legacy-oauth-server/oauth/token' \
--header 'Content-type: application/x-www-form-urlencoded; charset=utf-8' \
--header 'Authorization: Basic Zm9vQ2xpZW50SWRQYXNzd29yZDpzZWNyZXQ=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=631BEFD653E7D551225194C1A865CC34' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=nimda' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=foo' \
--data-urlencode 'client_id=fooClientIdPassword'

By using the above curl, I was able to get the access token for both grant types.

Grant Type: Password

{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbImZvbyJdLCJvcmdhbml6YXRpb24iOiJhZG1pbklZUEIiLCJleHAiOjE1ODcyMjg5NzQsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iXSwianRpIjoiZWNiMmE2MzctNTQ0Zi00ZTIzLWJjM2ItNzc0NDVlNjI5YjlmIiwiY2xpZW50X2lkIjoiZm9vQ2xpZW50SWRQYXNzd29yZCJ9.ZfGtg0OoI1WbS-iYVLaLKuA3NUdIUSUOFXNx8vzQquA",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbImZvbyJdLCJvcmdhbml6YXRpb24iOiJhZG1pbklZUEIiLCJhdGkiOiJlY2IyYTYzNy01NDRmLTRlMjMtYmMzYi03NzQ0NWU2MjliOWYiLCJleHAiOjE1ODk4MTczNzQsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iXSwianRpIjoiYjdiYzMzNmYtMjFmNy00MTc1LTkzZjMtZjY5MDhhZjliOGQ2IiwiY2xpZW50X2lkIjoiZm9vQ2xpZW50SWRQYXNzd29yZCJ9.5sJ1lXSd8m4oXj0WKmAr96RtJlkVOCnjBjhZrivKndY",
    "expires_in": 3599,
    "scope": "foo",
    "organization": "adminIYPB",
    "jti": "ecb2a637-544f-4e23-bc3b-77445e629b9f"
}

Grant Type: Client_Credentials

{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJmb28iXSwib3JnYW5pemF0aW9uIjoiZm9vQ2xpZW50SWRQYXNzd29yZFFRQ2ciLCJleHAiOjE1ODcyMjkyMDMsImp0aSI6IjdlYzFhNTRlLTc0M2QtNDM1NC05MmM4LWNkYzY1NDQwNDViOCIsImNsaWVudF9pZCI6ImZvb0NsaWVudElkUGFzc3dvcmQifQ.e3sHnT3nVgpJ-LUZmendOaFlW9oWmG5m-pLbjj78ovU",
    "token_type": "bearer",
    "expires_in": 3599,
    "scope": "foo",
    "organization": "fooClientIdPasswordQQCg",
    "jti": "7ec1a54e-743d-4354-92c8-cdc6544045b8"
}

Now the problem, when I'm trying to access /employee resource using the admin user admin/nimda or simple user john/123 with above retrieved access token. It always redirect to me the login page.

Request For Employee Resource:

curl --location --request GET 'http://localhost:9081/spring-legacy-oauth-server/employee?grant_type=client_credentials&response_type=token' \
--header 'grant_type: client_credentials' \
--header 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
--header 'response_type: token' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJmb28iXSwib3JnYW5pemF0aW9uIjoiZm9vQ2xpZW50SWRQYXNzd29yZFFRQ2ciLCJleHAiOjE1ODcyMjkyMDMsImp0aSI6IjdlYzFhNTRlLTc0M2QtNDM1NC05MmM4LWNkYzY1NDQwNDViOCIsImNsaWVudF9pZCI6ImZvb0NsaWVudElkUGFzc3dvcmQifQ.e3sHnT3nVgpJ-LUZmendOaFlW9oWmG5m-pLbjj78ovU' \
--header 'Cookie: JSESSIONID=F058C04FB269BFA091CF6941C278DFEE'

Output: Always redirect to the login page with success code 200.

Sticky Sessions:

I have another question - Why do we have sticky sessions? and how can we disable on authorization server. Do we really need it for REST apis? I believe JwT or access_token management is the responsibility of thin clients to send along with each request (web or mobile). 

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)

or

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS or NEVER)

I always see --header 'Cookie: JSESSIONID=F058C04FB269BFA091CF6941C278DFEE' when I request for resource and it redirect to login page. However, for oauth/token sticky sessions are disabled from the server side and don't see that cookie has been set by server in the postman client.

ghost commented 4 years ago

Hi @d3minem,

When you request the employee resource, you need not pass in the _granttype or _responsetype. That information is required at the first step when we need to get the token from the Authorization Server, as you were correctly able to get.

To perform a GET on the resource, you need to do this:

curl --request GET 'http://localhost:9081/spring-legacy-oauth-server/employee/{emp_email}
--header ‘Accept: application/json;charset=UTF-8' \
--header 'Authorization: Bearer <your token>’

Hope this helps.

d3minem commented 4 years ago

Hi @sampada07

Thanks for letting me know about this. That's right, this information should be shared on the first step which basically gives the access token.

Thanks, Ad.

ghost commented 4 years ago

Glad to be of help!