Results 1 to 4 of 4

Thread: OAuth2 - request

  1. Mar 4th, 2012, 08:48 PM #1
    foobarbuild
    foobarbuild is offline Junior Member
    Join Date
    Mar 2012
    Posts
    7

    Default OAuth2 - request

    I was wondering how what is the proper way of making an API call to my OAuth2 server so that it verifies the access_token?

    The request I'm using is set up as follows:
    http://localhost:8080/optimal-securi...b-df9f09c8e33b

    The setup for the action is as follows (in the server):

    <http pattern="/user/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security" >
    <intercept-url pattern="/user/{access_token}" access="ROLE_USER,SCOPE_READ" />
    <intercept-url pattern="/user/trusted/message" access="ROLE_CLIENT,SCOPE_READ" />
    <intercept-url pattern="/user/message" access="ROLE_USER,SCOPE_READ" />
    <intercept-url pattern="/user/**" access="ROLE_USER,SCOPE_READ" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
    </http>


    Basically, the request does go through to the action, but the Principal is not found and it seems that nothing is being done with the "access_token" in the request.
    Reply With Quote Reply With Quote
  2. Mar 5th, 2012, 02:52 AM #2
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,230

    Default

    You're supposed to send the access token in an Authorization header (per the spec). If you want to send it via a request parameter that should work too. Show us the <resource-server/> configuration? Are you using the latest snapshot, or M6?
    Reply With Quote Reply With Quote
  3. Mar 5th, 2012, 11:09 AM #3
    foobarbuild
    foobarbuild is offline Junior Member
    Join Date
    Mar 2012
    Posts
    7

    Default

    Is there a sample I can look at for the Authorization header?

    The <resource-server/> config is as follows:
    <oauth:resource-server id="resourceServerFilter" resource-id="optimal-security" token-services-ref="tokenServices" />

    And the "client-details-service" as follows:

    </oauth:client-details-service>
    <oauth:client client-id="optimal-application" resource-ids="optimal-security"
    authorized-grant-types="password,authorization_code,refresh_token,i mplicit"
    authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" />
    </oauth:client-details-service>
    Reply With Quote Reply With Quote
  4. Mar 7th, 2012, 01:36 AM #4
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,230

    Default

    And the resourceServerFilter is included in the Spring Security filter (you can tell by looking at debug logs)?

    The spec has a plenty of examples of authorization headers, but it's pretty simple: "Authorization: Bearer <tokenvalue>".
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules