Spring-security-oauth: Custom AuthenticationEntryPoint not set on BasicAuthenticationFilter

Created on 8 Jun 2015  路  18Comments  路  Source: spring-projects/spring-security-oauth

I am trying to use a custom AuthenticationEntryPoint for Authorization Server / provider. I tried to set it using the Configurer as follows:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter{
    ...
    @Autowired
    MyBasicAuthenticationEntryPoint myBasicAuthenticationEntryPoint;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.authenticationEntryPoint(myBasicAuthenticationEntryPoint);
    }
    ...
}

I tried stepping through the code. If I use invalid credentials to obtain a token, I notice that a DelegatingAuthenticationEntryPoint is invoked which in turn invokes an instance of default BasicAuthenticationEntryPoint (instead of my version of the same).

Sample code in github. Relevant AuthorizationServer configuration here

I also noticed that there's a somewhat similar issue open in github

The type of entry point doesn't matter. I tried something similar with a class that extends OAuth2AuthenticationEntryPoint but same behavior.

enhancement

Most helpful comment

Hello

I've using spring-security-oauth2 2.2.0.RELEASE.
The custom AuthenticationEntryPoint is also not available when allowFormAuthenticationForClients is set in the AuthorizationServer configuration.

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        //authEntryPoint is my custom AuthenticationEntryPoint
        security.allowFormAuthenticationForClients().authenticationEntryPoint(authEntryPoint);
    }

With this flag I can avoid BasicAuthenticationFilter issue for bad credential, but my custom authentication entry point still not be processed due to the ClientCredentialsTokenEndpointFilter in AuthorizationServerSecurityConfigurer

    @Override
    public void configure(HttpSecurity http) throws Exception {
                ...
        if (allowFormAuthenticationForClients) {
            clientCredentialsTokenEndpointFilter(http);
        }
                ...
    }

That function creates ClientCredentialsTokenEndpointFilter with hard-coded Oauth2AuthenticationEntryPoint.
So I cannot get my customized error message for wrong client_id or secret with client_credentials.

    private ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter(HttpSecurity http) {
                ...
        OAuth2AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
        authenticationEntryPoint.setTypeName("Form");
        authenticationEntryPoint.setRealmName(realm);
        clientCredentialsTokenEndpointFilter.setAuthenticationEntryPoint(authenticationEntryPoint);
                ...
    }

Is there any workaround or plan to fix this issue?

Thanks and regards,
Changgyun

All 18 comments

Which grant type are you using, and which credentials are wrong (the client or the user)?

Issue #112 is unrelated (it's about OAuth1).

I am using client credentials grant. In the sample code I posted, valid credentials for obtaining a bearer token are "my-client-with-secret:secret". When I intentionally pass incorrect credentials, the authorization server doesn't seem to trigger my custom basic authentication endpoint.

My goal is to customize the format of the error messages. I am able to do that with the Resource Server by doing something similar.

I have the same issue. The AuthorizationServer uses BasicAuthenticationFilter and I don't know how to set my custom AuthenticationEntryPoint. I'm using grant_type: password and I send the client_id and client_secret as an Authorization header.Using this setup only works when ClientDetails are sent as parameters and not as Authorization header. What is the right way to solve this?

+1
Is there any workaround?

Hello

I've using spring-security-oauth2 2.2.0.RELEASE.
The custom AuthenticationEntryPoint is also not available when allowFormAuthenticationForClients is set in the AuthorizationServer configuration.

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        //authEntryPoint is my custom AuthenticationEntryPoint
        security.allowFormAuthenticationForClients().authenticationEntryPoint(authEntryPoint);
    }

With this flag I can avoid BasicAuthenticationFilter issue for bad credential, but my custom authentication entry point still not be processed due to the ClientCredentialsTokenEndpointFilter in AuthorizationServerSecurityConfigurer

    @Override
    public void configure(HttpSecurity http) throws Exception {
                ...
        if (allowFormAuthenticationForClients) {
            clientCredentialsTokenEndpointFilter(http);
        }
                ...
    }

That function creates ClientCredentialsTokenEndpointFilter with hard-coded Oauth2AuthenticationEntryPoint.
So I cannot get my customized error message for wrong client_id or secret with client_credentials.

    private ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter(HttpSecurity http) {
                ...
        OAuth2AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
        authenticationEntryPoint.setTypeName("Form");
        authenticationEntryPoint.setRealmName(realm);
        clientCredentialsTokenEndpointFilter.setAuthenticationEntryPoint(authenticationEntryPoint);
                ...
    }

Is there any workaround or plan to fix this issue?

Thanks and regards,
Changgyun

+1
Is there a solution for this issue ?

+1
Please fix

+1
I faced with the same problem.
No solution yet?

+1
I have three days trying to implement custom response with exactly the same scenario @ChanggyunCho describes.
Please provide a solution.
Regards.

+1
I have the same problem! Is there a solution?

It's been more than an year. Any solutions to this? Why would the AuthenticationEntryPoint be hard-coded in the AuthorizationServerSecurityConfigurer.clientCredentialsTokenEndpointFilter?

If an AuthenticationEntryPoint is supplied via AuthorizationServerSecurityConfigurer.authenticationEntryPoint() than it's associated with the ExceptionTranslationFilter. However, it also needs to be associated with the BasicAuthenticationFilter, as this is the filter that handles client authentication when the client attempts to authenticate using HTTP Basic.

As a temporary workaround, here is a sample that demonstrates how you can set a custom AuthenticationEntryPoint with the BasicAuthenticationFilter in order to have the ability to customize the response for a failed client authentication.

Take a look at the AuthorizationServerConfigurerAdapter and specifically this line for the workaround.

Apologies for the delay here but this is now in master.

+1

I have the same problem! Is there a solution?

@ChanggyunCho
My problem is the same as yours, can you tall me how did you solve it?

@ChanggyunCho
My problem is the same as yours, can you tall me how did you solve it?

+1
How to do ?

@jgrandja Hello, I still have the same problem! Which version has solved? My dependency pom id

<dependency>
          <groupId>org.springframework.cloud</groupId>
           <artifactId>spring-cloud-starter-oauth2</artifactId>
           <version> 2.1.3.RELEASE</version>
 </dependency>

please let me know, thanks a lot.

hi, I am having the same problem with ClientCredentialsTokenEndpointFilter, since the AuthenticationEntryPoint is hardcoded in the code AuthorizationServerSecurityConfigurer.java

private ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter(HttpSecurity http) {
            ...
    **OAuth2AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();**

Please fix it, I am using spring-security-oauth2-2.3.6.RELEASE.jar, thanks.

Was this page helpful?
0 / 5 - 0 ratings