when I made a simple authorization server with org.springframework.security:spring-security-oauth2-authorization-server:1.2.2 library.
I found a document on https://docs.spring.io/spring-authorization-server/reference
And I tried to do like this document....
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain( HttpSecurity http ) throws Exception {
http
.authorizeHttpRequests( ( authorize ) -> authorize
.requestMatchers( "/oauth2/**" ).authenticated()
.anyRequest().permitAll()
)
.httpBasic( Customizer.withDefaults() )
.formLogin( Customizer.withDefaults() )
.cors( httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.disable())
.csrf( httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer.disable());
return http.build();
}
@Bean
public AuthorizationServerSettings authorizationServerSettings( ){
return AuthorizationServerSettings.builder()
.issuer( "http://localhost:8000" )
.tokenEndpoint( "/oauth2/v1/token" )
.tokenIntrospectionEndpoint( "/oauth2/v1/verify" )
.build();
}
@Bean
public OAuth2AuthorizationService authorizationService(){
return new InMemoryOAuth2AuthorizationService();
}
@Bean
public RegisteredClientRepository registeredClientRepository(){
RegisteredClient client = RegisteredClient.withId( UUID.randomUUID().toString() )
.clientId( "user" )
.clientSecret( "{noop}user" )
.clientAuthenticationMethod( ClientAuthenticationMethod.CLIENT_SECRET_BASIC )
.authorizationGrantType( AuthorizationGrantType.AUTHORIZATION_CODE )
.authorizationGrantType( AuthorizationGrantType.CLIENT_CREDENTIALS )
.authorizationGrantType( AuthorizationGrantType.REFRESH_TOKEN )
.redirectUri( "http://localhost:8000/redirect" )
.tokenSettings( TokenSettings.builder().accessTokenTimeToLive( Duration.ofDays( 1 ) ).build() )
.clientSettings( ClientSettings.builder()
.build() )
.build();
return new InMemoryRegisteredClientRepository( client );
}
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply( authorizationServerConfigurer );
authorizationServerConfigurer
.tokenEndpoint( Customizer.withDefaults() )
.tokenGenerator( new OAuth2AccessTokenGenerator() )
.authorizationServerSettings( authorizationServerSettings( ) )
.registeredClientRepository( registeredClientRepository() )
.authorizationService( authorizationService() );
// .setBuilder( http );
return http.build();
}
}
Here is my configuration code.
And I checked basic token authentication was applied.
but when i called token endpoint url ("http://localhost:8000/oauth2/v1/token) with grant_type = client_credentials, the server return 404 error.
I couldn't find why they return 404 error.
please let me know how to set token url.
here is my debug log.
2024-02-27T16:07:12.942+09:00 DEBUG 84973 --- [nio-8000-exec-8] o.s.security.web.FilterChainProxy : Securing POST /oauth2/v1/token
2024-02-27T16:07:13.147+09:00 DEBUG 84973 --- [nio-8000-exec-8] o.s.s.a.dao.DaoAuthenticationProvider : Authenticated user
2024-02-27T16:07:13.148+09:00 DEBUG 84973 --- [nio-8000-exec-8] o.s.s.w.a.www.BasicAuthenticationFilter : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[]]
2024-02-27T16:07:13.150+09:00 DEBUG 84973 --- [nio-8000-exec-8] o.s.security.web.FilterChainProxy : Secured POST /oauth2/v1/token
2024-02-27T16:07:13.161+09:00 DEBUG 84973 --- [nio-8000-exec-8] o.s.security.web.FilterChainProxy : Securing POST /error
2024-02-27T16:07:13.161+09:00 DEBUG 84973 --- [nio-8000-exec-8] o.s.security.web.FilterChainProxy : Secured POST /error