Spring-security-oauth: REST POST data to /oauth/token endpoint in body with application/json ContentType and disable HTTP Basic Auth

Created on 3 Jul 2016  路  5Comments  路  Source: spring-projects/spring-security-oauth

Hi guys,
I have a two questions, but it is strongly related to each other.

I am starting with Spring OAuth2. So far so good, I have secured my app with the configuration. But I have an issue here, I can not use HTTP Basic Authorization in my client (but it does support it).

Is there a way how to disable HTTP Basic Auth for the /oauth/token endpoint? I would like to send the client_id and client_secret in the JSON body as well with the username and password (or at least with x-www-form-urlencoded ContentType). Is there a way how to make it happen with configuration by annotation?

curl examples I would like to work:

curl -X POST -H "Content-Type: application/json" -d '{
"username": "user",
"password": "pass",
"grant_type": "password",
"client_id": "test-client-id",
"client_secret": "test-client-secret"
}' "http://localhost:9999/api/oauth/token"

OR the cliend_id and client_secret in the headers.

curl -X POST -H "Content-Type: application/json" -H "X-Client-ID: test-client-id" -H "X-Client-Secret: test-client-secret" -d '{
"username": "user",
"password": "pass",
"grant_type": "password"
}' "http://localhost:9999/api/oauth/token"

Thanks a lot.

Most helpful comment

I finally figure it out. The way how to disable the HTTP Basich Auth is to enable a form authentication for clients. Just add those lines to your configuration.

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
  @Override
  public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.allowFormAuthenticationForClients();
  }
}

Now I am able to send successful request to TokenEndpoint like this:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user_username&password=user_password&grant_type=password&client_id=your_trusted_client_id&client_secret=your_trusted_client_secret' "http://localhost:8080/oauth/token"

But there is still remaining the issue that I want to send data in json format. So the ContentType of my request will be application/json. Anyone have a solution for this?

All 5 comments

I finally figure it out. The way how to disable the HTTP Basich Auth is to enable a form authentication for clients. Just add those lines to your configuration.

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
  @Override
  public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.allowFormAuthenticationForClients();
  }
}

Now I am able to send successful request to TokenEndpoint like this:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user_username&password=user_password&grant_type=password&client_id=your_trusted_client_id&client_secret=your_trusted_client_secret' "http://localhost:8080/oauth/token"

But there is still remaining the issue that I want to send data in json format. So the ContentType of my request will be application/json. Anyone have a solution for this?

Looks like it only accepts ContentType as x-www-form-urlencoded. I too look to send as json but no luck so far.

Yes x-www-form-urlencoded is based on the OAuth2 specification. But I have figure it out with some help on StackOverflow. You can see the solution here:
http://stackoverflow.com/questions/38165131/spring-security-oauth2-accept-json/38284206#38284206

Is there any way to Get the response in application/json by default. Actuallly I've integrated OAuth2 in my application and inject a (jackson-dataformat-xml) dependecy to produce the result in xml.
I have also used "configureContentNegotiation" to set default Accept type header in json.
Now My oauth2 layer is above the controller layer. So I am unable to get the response in json by default. I is producing result in xml.
Let me know If anyonw have any idea about, how I can set the value of which will geneate the response in json by default.
Thanks in advance.

```shell
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user_username&password=user_password&grant_type=password&client_id=your_trusted_client_id&client_secret=your_trusted_client_secret' "http://localhost:8080/oauth/token"

```

On Using :
oauthServer.allowFormAuthenticationForClients();
I am getting :

2{"error":"unauthorized","error_description":"Error creating bean with name 'scopedTarget.clientDetailsService' defined in org.springframework.security.oauth2.config.annotation.configuration.ClientDetailsServiceConfiguration: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.provider.ClientDetailsService]: Factory method 'clientDetailsService' threw exception; nested exception is java.lang.UnsupportedOperationException: Cannot build client services (maybe use inMemory() or jdbc())."}

Was this page helpful?
0 / 5 - 0 ratings