Token endpoit fails to authenticate client credentials from a client with form scheme

**enkhchuluun** · Sep 17th, 2012, 09:10 PM

Hi guys~

Token endpoint works great with clients of "header" client-authentication-scheme, but it fails on "form" scheme.

client resource conf:

Code:

<oauth:resource id="gdpgame" type="authorization_code" client-id="mocksite" client-secret="secret"
		access-token-uri="http://local-gdp.onlinegame.com/auth/token.nhn" user-authorization-uri="http://local-gdp.onlinegame.com/auth/authorize.nhn" scope="read" 
		authentication-scheme="query" client-authentication-scheme="form"   />

auth server conf:

Code:

<http pattern="/auth/token\.(nhn|json|xml).*" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
		entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security" request-matcher="regex" >
		<intercept-url pattern="/auth/token\.(nhn|json|xml).*" access="IS_AUTHENTICATED_FULLY" />
		<anonymous enabled="false" />
		
		<!-- include this only if you need to authenticate clients via request parameters -->
		<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />

You can notice that basic auth filter is removed to support only form scheme.

When i debugged the auth server, i found that following code from ClientCredentialsTokenEndpointFilter is little buggy:

Code:

@Override
	protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
		String uri = request.getRequestURI();
		int pathParamIndex = uri.indexOf(';');

		if (pathParamIndex > 0) {
			// strip everything after the first semi-colon
			uri = uri.substring(0, pathParamIndex);
		}

		String clientId = request.getParameter("client_id");

		if (clientId == null) {
			// Give basic auth a chance to work instead (it's preferred anyway)
			return false;
		}

		return super.requiresAuthentication(request, response);
	}

i think it shoud return true when clientId is not null case, because super.requiresAuthentication(request, response) always return false so that attemptAuthentication method is not called.

any ideas?

**Dave Syer** · Sep 20th, 2012, 09:50 AM

There is an integration test for this that works, so if there is a bug it isn't as obvious as that. Did you look at the implementation of super.requiresAuthentication()? Are you using the standard endpoint URLs?

**enkhchuluun** · Sep 20th, 2012, 08:34 PM

Yeah, super.requiresAuthentication() does nothing with client_id/client_secret
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
String uri = request.getRequestURI();
int pathParamIndex = uri.indexOf(';');

if (pathParamIndex > 0) {
// strip everything after the first semi-colon
uri = uri.substring(0, pathParamIndex);
}

if ("".equals(request.getContextPath())) {
return uri.endsWith(filterProcessesUrl);
}

return uri.endsWith(request.getContextPath() + filterProcessesUrl);
}

And I've changed original endpoint url to /auth/token.nhn

Did you run the integration test without basic auth filter?

**Dave Syer** · Sep 21st, 2012, 02:21 AM

It's probably your custom endpoint URL that's the problem. Raise a JIRA ticket and we can have a look in more detail.

What do you mean about basic auth? The test is in sparklr2 if you want to try it yourself.

Thread: Token endpoit fails to authenticate client credentials from a client with form scheme

Thread Tools

Display

Token endpoit fails to authenticate client credentials from a client with form scheme

Posting Permissions