Spring boot + oauth2 : Full authentication is required to access this resource

The following changes fixed this issue for me when reading Spring Microservices in Action by John Carnell.

Changed the following property

application.yml

server:
  contextPath: /auth

To

server:
  servlet:
    context-path: /auth

And I've also added {noop} to every secret/password and now it works!

WebSecurityConfigurer.java

@Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("john.carnell").password("{noop}password1").roles("USER")
                .and()
                .withUser("william.woodward").password("{noop}password2").roles("USER", "ADMIN");
    }

OAuth2Config.java

@Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("eagleeye")
                .secret("{noop}thisissecret")
                .authorizedGrantTypes("refresh_token", "password", "client_credentials")
                .scopes("webclient", "mobileclient");
    }

I am using Spring Cloud Hoxton SR11


In your sample app when you run, you would have got the following exception

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"

In spring-security-core:5.0, the default PasswordEncoder is built as a DelegatingPasswordEncoder. Hence when you store the users in memory, you are providing the passwords in plain text and then when you are trying to retrieve the encoder from the DelegatingPasswordEncoder to validate the password it can't find one.

More details in this link Password Encoding

To address this , for a production implementation you should activate an instance of BCryptPasswordEncoder

For development, you can try out the following changes so that you can override password encoding by adding {noop} to the password value. This will treat the password by activating the NoOpPasswordEncoder instead of the default DelegatingPasswordEncoder and will treat your password as plain text.

OAuth2Config class

clients.inMemory()
            .withClient("eagleeye")
            .secret("{noop}thisissecret")
            .authorizedGrantTypes("refresh_token", "password", "client_credentials")
            .scopes("webclient", "mobileclient");

WebSecurityConfigurer class

 auth
                .inMemoryAuthentication()
                .withUser("john.carnell"). password("{noop}password1").roles("USER")
                .and()
                .withUser("william.woodward").password("{noop}password2").roles("USER", "ADMIN");

Now when you try from Postman, you would be able to generate token enter image description here

EDIT

Github project with a working demo here


I have same issue. the url is wrong, change to http://localhost:8080/oauth/token then it's OK. I got this sample from book which is giving the wrong url. just remove the "/auth"

Tags:

Spring

Oauth 2.0

Spring Boot

Related

How to suppress the "requires transitive directive for an automatic module" warning properly? Docker Macvlan network inside container is not reaching to its own host Python Anaconda: should I use `conda activate` or `source activate` in linux How to change textField underline color? add custom boxshadow to Flutter card Program type already present: com.google.android.gms.internal.zzfq Program type already present: com.android.vending.billing.IInAppBillingService How to submit a form in Vue, redirect to a new route and pass the parameters? Laravel How to remove "api" Prefix from subdomain URL The specified project directory ''" does not exist Webpack's removes classnames when minifying/uglifying ES6 code with inheritance Is it possible to read File from same folder where Azure function exists

Recent Posts