Skip to content

Instantly share code, notes, and snippets.

@pivotaljohn

pivotaljohn/spring-security-oauth2.md

Last active December 6, 2017 23:17
Show Gist options
  • Save pivotaljohn/4d26fd6fdfe805ce8ff4a6f333267c2b to your computer and use it in GitHub Desktop.
Save pivotaljohn/4d26fd6fdfe805ce8ff4a6f333267c2b to your computer and use it in GitHub Desktop.
Download ZIP
Speedbumps I hit and covered in learning how to implement OAuth2 through Spring Security.
Raw
spring-security-oauth2.md

  • when generating the Authorization: Basic value, I did something like this:

    $ echo "client-id:client-secret" | base64

    ... forgetting that echo adds the new-line. Resulting value will fail to match:

    {
  "timestamp":1512600410517,
  "status":401,
  "error":"Unauthorized",
  "message":"Bad credentials",
  "path":"/oauth/token"
}

  • Even though https://tools.ietf.org/html/rfc6749#section-4.4.2 says that "scope" is optional, seems like Spring Security's OAuth2 complains when it's not present:

    {
  "error":"invalid_scope",
  "error_description":"Empty scope (either the client or the user is not allowed the requested scopes)"
}

    The short-term fix is to ensure a scope is set for the client:

    application.properties

    ...
security.oauth2.client.scope=default
...

This worked:

$ export BASIC_AUTH_CREDS=$( echo -n "client_id:client_secret" | base64 )
$ curl -H "Content-Type: application/x-www-form-urlencoded" \
       -H "Authorization: Basic $BASIC_AUTH_CREDS" \
       -X POST \
       -d 'grant_type=client_credentials' \
      http://localhost:8080/oauth/token
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment