I'm trying to configure OAuth2 for a spring project. I'm using a shared UAA (oauth implementation from cloud foundry) instance my work place provides (so I'm not trying to create an authorization server and the authorization server is separate from the resource server). The frontend is a single-page-application and it gets token directly from the authorization server using the implicit grant. I have the SPA setup where it adds the Authorization: Bearer <TOKEN> header on each web API call to microservices.
My issue is now with the microservices.
I'm trying to use this shared authorization server to authenticate the microservices. I might have a misunderstanding here, buy my current understanding is that these microservices play the role of the resource server because they host the endpoints the SPA uses to get data.
So I tried to configure a microservice like so:
@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**").authenticated();
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setVerifierKey("-----BEGIN PUBLIC KEY-----<key omitted>-----END PUBLIC KEY-----");
return converter;
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
}
}
Now whenever I hit a /api/** with the Authorization: Bearer <TOKEN>, I get a 403 with this error:
{
"error": "access_denied",
"error_description": "Invalid token does not contain resource id (oauth2-resource)"
}
So here are my questions:
- How do I configure these microservices to validate the token and insert a
Principalin controller methods? I currently have it setup where the SPA has and sends the token and I also have the public key used to verify the signature of the token. I have also used jwt.io to test the token and it says "Signature Verified". - What is a resource id? Why do I need it and why does it cause the error above? Is that a Spring only thing??
Thanks!
Spring OAuth expects "aud" claim in JWT token. That claim's value should match to the resourceId value you specify your Spring app (if not specified it defaults to "oauth2-resource").
To fix your issue you need to:
1) Log into your shared UAA and make sure it does include "aud" claim.
2) Change the value of that "aud" claim to be "oauth2-resource" or preferably in your Spring app update resourceId to that claim's value like this:
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
resources.resourceId(value from the aud claim you got from UAA server);
}