For learning purposes, I've decided to create a sample application that would consist of three services (Java modules).
- OAuth 2 authorization server
- resource server
- OAuth 2 client
I've not had any big issues with the first 2 of them, but I've spent the last few hours trying to figure out how to create a valid OAuth 2 client, but I keep on receiving this error: Unable to resolve Configuration with the provided Issuer of "http://localhost:9000".
Since I've no clue where the issue is, I'll provide all the neccessary context of all 3 services.
Here's the configuration of the resource server.
application.yml
server:
port: 8080
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: "http://localhost:9000"
jwk-set-uri: "http://localhost:9000/oauth2/jwks"
SecurityConfig
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
return new MvcRequestMatcher.Builder(introspector);
}
@Bean
@Order(1)
public SecurityFilterChain filterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
http
// SECURITY
.csrf(CsrfConfigurer::disable)
.headers(headers -> headers
.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable))
// RISK
.authorizeHttpRequests((auth) -> auth
.requestMatchers(mvc.pattern("/data-api/users")).denyAll()
.requestMatchers(mvc.pattern("/data-api/users/**")).denyAll()
.requestMatchers(mvc.pattern("/data-api/taco-orders")).denyAll()
.requestMatchers(mvc.pattern("/data-api/taco-orders/**")).denyAll()
.requestMatchers(mvc.pattern(HttpMethod.POST, "/data-api/tacos")).authenticated()
.requestMatchers(mvc.pattern(HttpMethod.DELETE, "/data-api/tacos/**")).denyAll()
.requestMatchers(mvc.pattern(HttpMethod.POST, "/data-api/ingredients")).hasAuthority("SCOPE_ingredients.write")
.requestMatchers(mvc.pattern(HttpMethod.DELETE, "/data-api/ingredients/**")).hasAuthority("SCOPE_ingredients.delete")
.requestMatchers(mvc.pattern("/design"), mvc.pattern("/orders")).hasRole("USER")
.requestMatchers(mvc.pattern("/"), mvc.pattern("/**")).permitAll()
.requestMatchers(toH2Console()).permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()))
.formLogin((formLogin) -> formLogin
.loginPage("/login")
.defaultSuccessUrl("/design"));
return http.build();
}
}
Authorization server settings...
application.yml
server:
port: 9000
AuthServerConfig
@Configuration(proxyBeanMethods = false)
public class AuthServerConfig {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http
.formLogin(Customizer.withDefaults());
return http.build();
}
@Bean
public RegisteredClientRepository registeredClientRepository(PasswordEncoder passwordEncoder) {
RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("taco-cloud-client")
.clientSecret(passwordEncoder.encode("secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantTypes(grantTypes -> grantTypes.addAll(Set.of(
AuthorizationGrantType.AUTHORIZATION_CODE,
AuthorizationGrantType.REFRESH_TOKEN
)))
.redirectUris(redirectUris -> redirectUris.addAll(Set.of(
"http://127.0.0.1:9090/authorized",
"http://127.0.0.1:9090/login/oauth2/code/taco-cloud-client"
)))
.scopes(scopes -> scopes.addAll(Set.of(
"ingredients.write",
"ingredients.delete",
OidcScopes.OPENID
)))
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build();
return new InMemoryRegisteredClientRepository(registeredClient);
}
@Bean
public JWKSource<SecurityContext> jwkSource()
throws NoSuchAlgorithmException {
RSAKey rsaKey = generateRsa();
JWKSet jwkSet = new JWKSet(rsaKey);
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
private static RSAKey generateRsa() throws NoSuchAlgorithmException {
KeyPair keyPair = generateRsaKey();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
return new RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build();
}
private static KeyPair generateRsaKey() throws NoSuchAlgorithmException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
return keyPairGenerator.generateKeyPair();
}
}
SecurityConfig
@EnableWebSecurity
@Configuration
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated())
.formLogin(Customizer.withDefaults());
return http.build();
}
}
And the problematic OAuth 2.0 client:
application.yml
server:
port: 9090
spring:
security:
oauth2:
client:
registration:
taco-cloud-client:
provider: tacocloud
client-id: taco-cloud-client
client-secret: secret
authorization-grant-type: authorization_code
redirect-uri: "http://127.0.0.1:9090/login/oauth2/code/{registrationId}"
scope:
- openid
- ingredients.read
- ingredients.write
provider:
tacocloud:
issuer-uri: http://localhost:9000
SecurityConfig
@EnableWebSecurity
@Configuration(proxyBeanMethods = false)
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize ->
authorize
.anyRequest().authenticated())
.oauth2Login(oauth2Login ->
oauth2Login.loginPage("/oauth2/authorization/taco-cloud-client"))
.oauth2Client(Customizer.withDefaults());
return http.build();
}
}
Uff.. That's it, I think ;D If anyone would be so kind to point me in the right direction, I'd be thankful!
It would be helpful to see the full log. However, I think this issue appears to be similar to another one. Then you need to update your SecurityConfig of Authorization Server:
@Order(Ordered.HIGHEST_PRECEDENCE) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(withDefaults()); return http .formLogin(Customizer.withDefaults()) .build(); }