In OAuth 2 TokenEndpoint whenever we are calling /oauth/token endpoint, BaseAuthenticationFilter is being called and Client is authenticated. But same BaseAuthenticationFilter is not registered for /oauth/authorize endpoint.
Because of which the Principal Object is not getting populated and is null for /oauth/authorize mapping.
How can we register the same for /oauth/authorize endpoint ?
Related
I'm looking at some examples about doorkeeper gem. One thing I noticed is they set redirect url at 2 places. One is when they create a new oauth application at /oauth/applications, the other is when client makes a request to /oauth/authorize to get access code. I'm wondering why they need to set redirect url at 2 places?
It is not just doorkeeper's implementation. It is indeed defined by Oauth2 documentation. You can see that redirect_uri is defined as parameter of two endpoint at here:
One is when they create a new oauth application at /oauth/applications - 4.1.1. Authorization Request
the other is when client makes a request to /oauth/authorize to get access code - 4.1.3. Access Token Request
"Why they need to set redirect url at 2 places?" Because:
client can register multiple redirect_uri on Authorization server. here: "provide its client redirection URIs as described in Section 3.1.2"
After client send one of registered redirect_uri at Authorization Request (4.1.1) to AuthorizationServer, client will received authorization_code in response from AuthorizationServer to redirect_uri. So when you exchange that authorization_code for access_token at AccessToken Request (4.1.3), you need to send the same redirect_uri to make Authorization Server makes sure that requested authorization_code is binding with redirect_uri.
I implement a oauth2 authorization server by spring security oauth2 and use JwtTokenStore to store access token,then I need to provider a /userinfo controller for current access token to get user info by an oauth2 client,the /userinfo as follow:
#RequestMapping("/userinfo")
public Object getCurrentUserInfo(HttpServletRequest request) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return authentication;
}
but I don't know how to get userinfo?
Maybe need read more OAuth 2 Developers Guide .Know function for Authorization Server,Resource Server and OAuth 2.0 Client,know spring security.
To get userinfo by access token ,should config a resource server in the Authorization Server too. Because resource server provider a filter OAuth2AuthenticationProcessingFilter to get user info by token and set into SecurityContextHolder.
I have a confusion on, whether the redirect_uri in OAUTH authorization grant type, a html page or an API call?
The redirect_uri in OAuth2 is the endpoint where the client receives the authorization code (authorization code) or access token (implicit grant).
The authorization server typically redirects the user's browser back to the client via an HTTP 302 redirect status code.
However, Openid Connect defines a response_mode=form_post, which makes the authorization server return a HTML page with a form containing the parameters as (hidden) fields that is auto-submitted to the client application.
I am trying to implement Resource Owner part of oAuth2 (Authorization code grant type). While going through oAuth2 specification, I found following text about initial client request for authorization:
"The client directs the resource owner to the constructed URI using an
HTTP redirection response, or by other means available to it via the
user-agent."
I am a bit confused about "HTTP redirection response" part. can anyone explain a scenario in which client uses HTTP redirection response for directing resource owner to authorization endpoint.
Imagine a user (Resource Owner) wants to access a resource (Resource Server) through an application (Client). The user sends a HTTP request with a web browser to execute an operation on the application. The access to the resource can not be authorized because the HTTP request contains no Access Token in the Authorization Header. In that case the application redirects the user to the Authorization Server instead of responding with an error message. By providing login credentials to the Authorization Server the user can initiate the Authorization Request.
I'm having a trouble in requesting a refresh token, it keep returning an Unauthorized 401 error. I don't know if I'm lacking a parameters that I passed when I did a request.
I added the doorkeeper configuration for refresh token.
use_refresh_token
Here's the request details:
{{root_url}}/oauth/token
{"refresh_token"=>"034a74c085219fb8297fd8ef9b59f080918f"
"format"=>:json,
"controller"=>"/oauth/tokens",
"action"=>"create",
"grant_type"=>"refresh_token",
"client_id"=>"<client_id>",
"client_secret"=> "<client_secret>"}
Error descriptions:
{:error=>:invalid_grant,
:error_description=>
"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
Btw, all of my api request authentication is not failing just this refresh token. I wonder what I'm missing in the request parameters.
Do not pass the client_id and client_secret.
The required parameters for the refresh token are:
grant_type
refresh_token
Optional parameter:
scope.
See the Refresh Token section of rfc6749: The OAuth 2.0 Authorization Framework