Results 1 to 4 of 4

Thread: Sending user to /oauth/authorize results in 'missing verfication code'

  1. Apr 5th, 2011, 02:12 AM #1
    hansamann
    hansamann is offline Member
    Join Date
    Mar 2007
    Posts
    34

    Default Sending user to /oauth/authorize results in 'missing verfication code'

    Hi all,

    I am still trying to got an oauth2 provider up. To begin with the oauth dance a client is supposed to send the user via redirect to the service provider and request authorization. So I do this:

    send user to:
    http://localhost:9001/oauth2/oauth/a...F%2Fspiegel.de

    What I would expect is that my spring-security defined login page comes up... but instead, this is what is returned:

    {
    "error": "invalid_request",
    "error_description": "A verification code must be supplied."
    }

    So what is wrong? Would I need to "secure" the /oauth/authorize mapping to have the login page com up?

    Again including all my config below -thanx for your help!
    Code:
    	<http auto-config='true' access-denied-page="/login.jsp">
		<intercept-url pattern="/rest/**" access="ROLE_USER" />
		<intercept-url pattern="/request_token_authorized.jsp"
			access="ROLE_USER" />
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

		<form-login authentication-failure-url="/login.jsp" 
			default-target-url="/index.jsp" login-page="/login.jsp"
			login-processing-url="/login.do" />
		<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
	</http>

	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="sven" password="nevs" authorities="ROLE_USER, ROLE_ADMIN" />
				<user name="demo" password="1234" authorities="ROLE_USER" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

	<beans:bean id="tokenServices"
		class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
		<beans:property name="supportRefreshToken" value="true" />
	</beans:bean>

	<oauth:provider client-details-service-ref="clientDetails"
		token-services-ref="tokenServices"  
		authorization-url="/oauth/authorize" ><!-- authorization url is default -->
		<oauth:verification-code user-approval-page="/oauth/confirm_access" />
	</oauth:provider>

	<oauth:client-details-service id="clientDetails">
		<oauth:client clientId="my-trusted-client"
			authorizedGrantTypes="password,authorization_code,refresh_token" />
		<oauth:client clientId="my-trusted-client-with-secret"
			authorizedGrantTypes="password,authorization_code,refresh_token"
			secret="somesecret" />
		<oauth:client clientId="my-less-trusted-client"
			authorizedGrantTypes="authorization_code" />
		<oauth:client clientId="tonr" authorizedGrantTypes="authorization_code" />
	</oauth:client-details-service>
    Reply With Quote Reply With Quote
  2. Apr 5th, 2011, 04:44 AM #2
    hansamann
    hansamann is offline Member
    Join Date
    Mar 2007
    Posts
    34

    Smile got the answer...

    OK, I can answer a couple questions myself after digging into the source code.

    The most interestign finding that helped most was looking into the Oauth2 VerificationCodeFilter. It has a default processing URL defined as a default that I have never seen anywhere in the docs:

    public static final String DEFAULT_PROCESSING_URL = "/oauth/user/authorize";

    So that made me try a request like this against my running server from the borwser:

    GET http://localhost:9001/oauth2/oauth/u...F%2Fspiegel.de

    This will forward to /oauth/confirm_access which initially was not protected in my setup. So I created this spring config to protect the confirm_access page:
    Code:
    	<http auto-config='true' access-denied-page="/login.jsp">
		<intercept-url pattern="/rest/**" access="ROLE_USER" />
		<intercept-url pattern="/request_token_authorized.jsp"
			access="ROLE_USER" />
		<intercept-url pattern="/oauth/confirm_access" access="ROLE_USER" />			
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

		<form-login authentication-failure-url="/login.jsp" 
			default-target-url="/index.jsp" login-page="/login.jsp"
			login-processing-url="/login.do" />
		<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
	</http>
    I cleared all cookies, and requested teh page again. I now got the login page, logged in, got the access confirmation page, confirmed and got a redirect to teh configured redirect_uri with ?code=XXX appended to it.

    With that information, I was able to construct the access token request as follows:

    http://localhost:9001/oauth2/oauth/a...F%2Fspiegel.de

    An boom, here we go the access token:

    Code:
    {

    access_token: "c45e3516-7783-4367-864a-8365e745f6be"
    expires_in: 43199
    refresh_token: "bb92a1ae-5699-4e98-acea-442952271095"

}
    So for so good!
    Reply With Quote Reply With Quote
  3. Mar 22nd, 2013, 10:55 AM #3
    tarun1188
    tarun1188 is offline Junior Member
    Join Date
    Mar 2013
    Posts
    6

    Default

    Hi,
    How to get the resource data using the access token. I'm looking for for past 2 days and no help. Any hint or help will be highly useful.
    Thanks in advance.
    Reply With Quote Reply With Quote
  4. Mar 22nd, 2013, 11:24 AM #4
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,232

    Default

    Quote Originally Posted by hansamann View Post
    Would I need to "secure" the /oauth/authorize mapping to have the login page com up?
    Yes. It's not magic, just standard Spring Security configuration to ensure that the endpoint is protected. It's up to you how to do the authentication (the sparklr sample has an in memory user database and a login page).
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules