oauth 2 An Authentication object was not found in the SecurityContext

[OhadR]

Indeed it is an old thread, yet I do get the same problem. I'm sure from a different reason that the guys before me ...
I work on RC2a, successfuly get a code (after calling /authorize), but when I make the call to /token I get 401. Breakpoint in TokenEndpoint never stops (of course).
(Dave - I did a small "hack" in order to keep working even though I work with anonymous token (have raised a ticked in Jira) so I extended AuthorizationCodeResourceDetails and my isClientOnly() returns true so this way I do get the redirect to the /authorize. Can this cause my problem? I doubt...)
Where the problem can be? definitions of the oAuth provider or the client?

my XML of the oAuth provider:

Code:

   <!-- Protect the /oauth/token url to allow only registered clients -->
<security:http pattern="/oauth/token"  authentication-manager-ref="clientAuthenticationManager"        >
        <!--<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />-->
        <security:intercept-url pattern="/oauth/token" access="ROLE_CLIENT" requires-channel="https"/>
        <security:anonymous enabled="false" />
        <security:http-basic />
</security:http>

<security:authentication-manager id="clientAuthenticationManager">
        <security:authentication-provider user-service-ref="clientDetailsUserService" />
</security:authentication-manager>

<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails" />
</bean>

<bean id="clientDetails" class="org.springframework.security.oauth2.provider.JdbcClientDetailsService">
	<constructor-arg ref="dataSource" />
</bean

>

[Dave Syer]

successfuly get a code (after calling /authorize), but when I make the call to /token I get 401. Breakpoint in TokenEndpoint never stops (of course).

A 401 means you didn't authenticate the call to the token endpoint. Did you send a basic header with the client id and secret? Did you get the secret wrong? The error seems to be in the client, but you only showed the config for the server.

I doubt this is related to your hack (but you are doing something very dangerous there, and I would exercise caution if I were you before using it in production).

[OhadR]

A 401 means you didn't authenticate the call to the token endpoint. Did you send a basic header with the client id and secret? Did you get the secret wrong? The error seems to be in the client, but you only showed the config for the server.

I use OAuth2AccessTokenSupport.retrieveToken(). I see that this method "prepares" the parameters for the call, as well as the headers... then it calls using RestTemplate to /oauth/token.
what am I missing?

you are doing something very dangerous there, and I would exercise caution if I were you before using it in production

I use this hack since I have no choice, till this issue is resloved... (my client is "anonymous" etc). I'd be happy to get rid of my work-around and use the highway.

[Dave Syer]

I see that this method "prepares" the parameters for the call, as well as the headers... then it calls using RestTemplate to /oauth/token.

Does it set the Authorization header with the correct client id and secret? What does the server say in its logs when it denies access?

[OhadR]

Actually, the retrieveToekn() method get HttpHeaders and I see that it comes empty - but the client_id and client_secret comes in the "form" parameter (which is a Map of attributes). So regarding your question - the headers are empty (but I count on oAuth-Spring files, I do nothing "by myself")
in RestTemplate#doExecute():
the url is https://ohad.sealdoc.com/butke-up/oauth/token
method is POST
requestCallback - contains empty headers, and the form Map contains all the data (including client id+secret)

I see nothing in the server's log, only in the client
WARN web.client.RestTemplate - POST request for "https://ohad.sealdoc.com/butke-up/oauth/token" resulted in 401 (Unauthorized); invoking error handler

[Dave Syer]

If your client sends client credentials as form parameters (it should not, but may according to the spec) you need a filter on the server to extract them (ClientCredentialsTokenEndpointFilter). It would be better to send them in a header (use authentication-type="header" in the client resource configuration if your client is a Spring OAuth client).

[OhadR]

and again - YOU ARE THE MAN!
I've added ClientCredentialsTokenEndpointFilter to my chain, and now I get to the TokenEndpoint.
(I thought that ClientCredentialsTokenEndpointFilter should be in use only if I pass the params in the URL e.g. https://bla-bla/oauth/token?client_i...t=something 2...)

Suppose I wanna work properly (and I do) - what is the way? Currently the flow is:
OAuth2RestTemplate --> AccessTokenProviderChain.obtainAccessToken() --> AuthorizationCodeAccessTokenProvider.obtainAccessT oken() --> AuthorizationCodeAccessTokenProvider.retrieveToken (), where in between getParametersForTokenRequest() "prepares" the form parameters. So seems it's out of my control - how can I make sure the data is not in the form, but in the body?

[Dave Syer]

Your AuthorizationCodeAccessTokenProvider should have a ClientAuthenticationHandler, and it is responsible for setting up the header. My best guess is you <oauth:resource/> configuration has the wrong authentication-type, but it's possible you have overridden the handler.