I have been trying to find an appropriate configuration for Twitter Oauth2 configuration in Spring Boot Security, but nothing is working.
After clicking the "Sign in Twitter" button, the flow is started, authorization dialog is presented and after clicking "authorize", the following error is thrown: "[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 401 Unauthorized: [no body]".
The configuration in the application.properties file looks like this:
spring.security.oauth2.client.registration.twitter.client-id=[my-client-id]
spring.security.oauth2.client.registration.twitter.client-secret=[my-secret]
spring.security.oauth2.client.registration.twitter.scope=users.read
spring.security.oauth2.client.registration.twitter.redirect-uri={baseUrl}/oauth2/callback/{registrationId}
spring.security.oauth2.client.registration.twitter.client-authentication-method=client_secret_post
spring.security.oauth2.client.provider.twitter.authorization-uri=https://twitter.com/i/oauth2/authorize?code_challenge=challenge&code_challenge_method=plain
spring.security.oauth2.client.provider.twitter.token-uri=https://api.twitter.com/2/oauth2/token
spring.security.oauth2.client.registration.twitter.authorization-grant-type=authorization_code
This is my SecurityConfig in the application:
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final CustomOAuth2UserService customOAuth2UserService;
private final OAuth2AuthenticationSuccessHandler oAuthAuthenticationSuccessHandler;
private final OAuth2AuthenticationFailureHandler oAuth2AuthenticationFailureHandler;
private final HttpCookieOAuth2AuthorizationRequestRepository httpCookieOAuth2AuthorizationRequestRepository;
private final TokenAuthenticationFilter tokenAuthenticationFilter;
private final ClientRegistrationRepository clientRegistrationRepository;
@Bean
public HttpCookieOAuth2AuthorizationRequestRepository cookieAuthorizationRequestRepository() {
return new HttpCookieOAuth2AuthorizationRequestRepository();
}
@Bean
protected SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable);
http.cors(Customizer.withDefaults());
http.sessionManagement(sessionManagement -> sessionManagement.sessionCreationPolicy(STATELESS));
http.formLogin(AbstractHttpConfigurer::disable);
http.httpBasic(AbstractHttpConfigurer::disable);
http.authorizeHttpRequests(
auth -> auth
.requestMatchers("/token/refresh/**").permitAll()
.requestMatchers(
"/",
"/error"
).permitAll()
.requestMatchers("/auth/**", "/oauth2/**").permitAll()
.anyRequest().authenticated()
);
http.oauth2Login(oauth2 -> oauth2
.authorizationEndpoint(authorizationEndpointConfigurer -> authorizationEndpointConfigurer
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(httpCookieOAuth2AuthorizationRequestRepository)
.authorizationRequestResolver(new CustomAuthorizationRequestResolver(
clientRegistrationRepository, "/oauth2/authorize"
))
)
.redirectionEndpoint(redirectionEndpointConfigurer -> redirectionEndpointConfigurer
.baseUri("/oauth2/callback/*")
)
.userInfoEndpoint(userInfoEndpointConfigurer -> userInfoEndpointConfigurer
.userService(customOAuth2UserService)
)
.tokenEndpoint(token -> token.accessTokenResponseClient(authorizationCodeTokenResponseClient()))
.successHandler(oAuthAuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler)
);
http.addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> authorizationCodeTokenResponseClient() {
OAuth2AccessTokenResponseHttpMessageConverter tokenResponseHttpMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
tokenResponseHttpMessageConverter.setAccessTokenResponseConverter(new CustomAccessTokenResponseConverter());
RestTemplate restTemplate = new RestTemplate(Arrays.asList(
new FormHttpMessageConverter(), tokenResponseHttpMessageConverter));
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
DefaultAuthorizationCodeTokenResponseClient tokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
tokenResponseClient.setRestOperations(restTemplate);
return tokenResponseClient;
}
@Bean
public AuthenticationManager authenticationManagerBean(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
This is my configuration on Twitter's developer portal:
Has anyone handled such case here?
PS. I am receiving the same error for LinkedIn configuration:
spring.security.oauth2.client.registration.linkedin.client-id=[client-id]
spring.security.oauth2.client.registration.linkedin.client-secret=[client-secret]
spring.security.oauth2.client.registration.linkedin.scope=profile,email,openid
spring.security.oauth2.client.registration.linkedin.redirect-uri={baseUrl}/oauth2/callback/{registrationId}
spring.security.oauth2.client.registration.linkedin.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.linkedin.client-authentication-method=client_secret_post
spring.security.oauth2.client.provider.linkedin.authorization-uri=https://www.linkedin.com/oauth/v2/authorization
spring.security.oauth2.client.provider.linkedin.token-uri=https://www.linkedin.com/oauth/v2/accessToken
spring.security.oauth2.client.provider.linkedin.user-info-uri=https://api.linkedin.com/v2/me?projection=(id,firstName,lastName,profilePicture(displayImage~:playableStreams))
spring.security.oauth2.client.provider.linkedin.user-name-attribute=localizedFirstName
spring.security.oauth2.client.provider.linkedin.jwk-set-uri=https://www.linkedin.com/oauth/openid/jwks
I have already checked the credentials (client id, client secret) and they are correct, as well as the redirect uri.