Search code examples

Spring oauth2 refresh token - Cannot convert access token to JSON

I'm trying to use a refresh token in a Spring OAuth application without success. The system will issue a refresh token on a password grant:

  "access_token": "xxxxx",
  "token_type": "bearer",
  "refresh_token": "xxxxxx",
  "expires_in": 21599,
  "scope": "read write"

But trying to use the refresh token results in the following error:

curl -u acme -d "grant_type=refresh_token&refresh_token=xxxxxx" http://localhost:9999/uaa/oauth/token

  "error": "invalid_token",
  "error_description": "Cannot convert access token to JSON"

My auth server config is as follows:

@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class ApplicationConfiguration extends WebMvcConfigurerAdapter {

    public Principal user(Principal user) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        return user;

    public void addViewControllers(ViewControllerRegistry registry) {

    protected static class LoginConfig extends WebSecurityConfigurerAdapter {

        private AuthenticationManager authenticationManager;

        protected void configure(HttpSecurity http) throws Exception {


            // @formatter:off
                .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
            // @formatter:on


        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();

    public static class JwtConfiguration {

        public JwtAccessTokenConverter jwtAccessTokenConverter() {
            JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
            KeyPair keyPair = new KeyStoreKeyFactory(new ClassPathResource("keystore.jks"), "foobar".toCharArray())
            return converter;

        public JwtTokenStore jwtTokenStore() {
            return new JwtTokenStore(jwtAccessTokenConverter());

    protected static class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter implements
            EnvironmentAware {

        private static final String ENV_OAUTH = "authentication.oauth.";
        private static final String PROP_CLIENTID = "clientid";
        private static final String PROP_SECRET = "secret";
        private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds";

        private RelaxedPropertyResolver propertyResolver;

        private AuthenticationManager authenticationManager;

        private JwtAccessTokenConverter jwtAccessTokenConverter;

        private JwtTokenStore jwtTokenStore;

        private UserDetailsService userDetailsService;

        private DataSource dataSource;

        public void setEnvironment(Environment environment) {
            this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_OAUTH);

        public TokenEnhancer tokenEnhancer() {
            return new CustomTokenEnhancer();

        public DefaultTokenServices tokenServices() {
            DefaultTokenServices tokenServices = new DefaultTokenServices();
            return tokenServices;

        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
            // The order is important here - the custom enhancer must come before the jwtAccessTokenConverter.
            tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter));

        public void configure(AuthorizationServerSecurityConfigurer oauthServer)
                throws Exception {

        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
                    .scopes("read", "write")
                    .authorizedGrantTypes("authorization_code", "refresh_token", "password")
                    .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer
                    .class, 1800));*/

     * Configures the global LDAP authentication
    protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter implements EnvironmentAware {

        private static final String ENV_LDAP = "authentication.ldap.";
        private static final String PROP_SEARCH_BASE = "userSearchBase";
        private static final String PROP_SEARCH_FILTER = "userSearchFilter";
        private static final String PROP_GROUP_SEARCH_FILTER = "groupSearchFilter";
        private static final String PROP_LDAP_URL = "url";
        private static final String PROP_LDAP_USER = "userDn";
        private static final String PROP_LDAP_PASS = "password";

        private RelaxedPropertyResolver propertyResolver;

         * Maps the LDAP user to the Principle that we'll be using in the app
        public UserDetailsContextMapper userDetailsContextMapper() {
            return new UserDetailsContextMapper() {
                public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
                                                      Collection<? extends GrantedAuthority> authorities) {
                    // Get the common name of the user
                    String commonName = ctx.getStringAttribute("cn");
                    // Get the users email address
                    String email = ctx.getStringAttribute("mail");
                    // Get the domino user UNID
                    String uId = ctx.getStringAttribute("uid");
                    return new CustomUserDetails(email, "", commonName, authorities);

                public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
                    throw new IllegalStateException("Only retrieving data from LDAP is currently supported");


        public void setEnvironment(Environment environment) {
            this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_LDAP);

        public void init(AuthenticationManagerBuilder auth) throws Exception {

Anyone have any ideas why the auth server isn't issuing a new token when given a valid refresh token?


  • So it looks like the issue was an invalid refresh_token format. Due to my config, what the auth server was expecting was a valid JWT, whereas I was sending it a plain bearer token. Hence the error message 'cannot convert token to JSON'.

    Incidentally, I found this document useful in understanding how all the parts of Spring OAuth fit together, which led me to figuring out what was going on here: