search

spring-projects / spring-authorization-server

Spring Authorization Server
https://spring.io/projects/spring-authorization-server
Apache License 2.0
4.78k stars 1.25k forks source link

/oauth2/device_authorization not working #1583

Closed pengliaoye closed 2 months ago

pengliaoye commented 3 months ago

Describe the bug

/oauth2/device_authorization not invoked

OAuth2DeviceAuthorizationEndpointFilter after AuthorizationFilter. the AuthorizationFilter org.springframework.security.access.AccessDeniedException: Access Denied. OAuth2DeviceAuthorizationEndpointFilter not been invoked.

To Reproduce

    @Bean
    @Order(1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http,  OAuth2AuthorizationService authorizationService)
            throws Exception {

        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .deviceAuthorizationEndpoint(Customizer.withDefaults())
                .oidc(Customizer.withDefaults());    // Enable OpenID Connect 1.0
        http
                // Redirect to the login page when not authenticated from the
                // authorization endpoint
                .exceptionHandling((exceptions) -> exceptions
                        .defaultAuthenticationEntryPointFor(
                                new LoginUrlAuthenticationEntryPoint("/login"),
                                new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
                        )
                )
                // Accept access tokens for User Info and/or Client Registration
                .oauth2ResourceServer((resourceServer) -> resourceServer
                        .jwt(Customizer.withDefaults()));

        return http.build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
            throws Exception {
        http
                .authorizeHttpRequests((authorize) -> authorize
//                        .requestMatchers("/").permitAll()
//                        .requestMatchers("/admin").hasAnyAuthority("")
//                        .requestMatchers("/user").hasAnyRole("")
                        .anyRequest().authenticated()
                )
                // Form login handles the redirect to the login page from the
                // authorization server filter chain
                .formLogin(Customizer.withDefaults())
                .httpBasic(Customizer.withDefaults());

        return http.build();
    }

Expected behavior OAuth2DeviceAuthorizationEndpointFilter should invoked

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

jgrandja commented 2 months ago

Thanks for getting in touch, but questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

Please take a look at the Demo Sample as it provides a menu link to perform the device_code flow. Review the configuration and align it with your configuration.