I just started using the stormpath-default-spring-boot-starter (1.2.0) library for new Rest API platform that we are building. I was expecting the access cookie to be generated by the following code on authenticating the user so that subsequent API calls can be authenticated by the cookie. Account is authenticated however the cookie is not getting generated.
AuthenticationRequest request = UsernamePasswordRequests.builder()
.setUsernameOrEmail(userId)
.setPassword(pwd)
.withResponseOptions(UsernamePasswordRequests.options().withAccount())
.build();
Account account = null;
try {
account = app.authenticateAccount(request).getAccount();
}
catch (ResourceException ex) {
throw(ex);
}
Following here is the property file entries,
stormpath.spring.security.enabled = false
security.basic.enabled = false
Help is much appreciated.
I think you may be mixing contexts here.
The code you provided looks like the type of manual code required when you are using the Java SDK directly and not using an integration, like the Stormpath Spring Boot integration.
When you are using the Stormpath Default Spring Boot Starter you get a bunch of endpoints automatically that you can use to authenticate and have cookies set.
For example, you have a /login endpoint.
If you fire up your example app, you should be able to go to:
curl localhost:8080/login
You will get back a login model that looks something like this:
{
"form": {
"fields": [
{
"name": "login",
"label": "Username or Email",
"placeholder": "Username or Email",
"required": true,
"type": "text"
},
{
"name": "password",
"label": "Password",
"placeholder": "Password",
"required": true,
"type": "password"
}
]
}
}
You can then authenticate with a POST:
curl -v -H "Content-Type: application/json" -X POST \
-d '{"login": "<email>", "password": "<password>"}' \
http://localhost:8080/login
You'll get a response like this:
> POST /login HTTP/1.1
> Host: localhost:8080
< HTTP/1.1 200
< Set-Cookie: access_token=eyJraWQiOiJSOTJTQkhKQzFVNERBSU1HUTNNSE9HVk1YIiwic3R0IjoiYWNjZXNzIiwiYWxnIjoiSFMyNTYifQ...;Max-Age=3600;path=/;HttpOnly
< Set-Cookie: refresh_token=eyJraWQiOiJSOTJTQkhKQzFVNERBSU1HUTNNSE9HVk1YIiwic3R0IjoicmVmcmVzaCIsImFsZyI6IkhTMjU2In0...;Max-Age=5184000;path=/;HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 05 Dec 2016 05:30:25 GMT
<
* Connection #0 to host localhost left intact
{
"account": {
"href": "https://api.stormpath.com/v1/accounts/<account id>",
"createdAt": "2016-03-04T06:29:48.506Z",
"modifiedAt": "2016-08-17T18:01:07.812Z",
"username": "<username>",
"email": "<email>",
"givenName": "<givenName>",
"middleName": null,
"surname": "<surname>",
"status": "ENABLED",
"fullName": "<full name>",
"emailVerificationStatus": null,
"passwordModifiedAt": "2016-05-24T02:14:01.000Z"
}
}
The response contains both the access_token and the refresh_token cookies as well as a JSON response containing the account information.
If you want to use OAuth2, you have a /oauth/token endpoint that supports both the grant_type=password and the grant_type=client_credentials flow:
curl -v -X POST \
-d grant_type=password -d username=<email> -d password=<password> \
http://localhost:8080/oauth/token
You'll get a response like:
> POST /oauth/token HTTP/1.1
> Host: localhost:8080
< HTTP/1.1 200
< Set-Cookie: access_token=eyJraWQiOiJSOTJTQkhKQzFVNERBSU1HUTNNSE9HVk1YIiwic3R0IjoiYWNjZXNzIiwiYWxnIjoiSFMyNTYifQ...;Max-Age=3600;path=/;HttpOnly
< Set-Cookie: refresh_token=eyJraWQiOiJSOTJTQkhKQzFVNERBSU1HUTNNSE9HVk1YIiwic3R0IjoicmVmcmVzaCIsImFsZyI6IkhTMjU2In0...;Max-Age=5184000;path=/;HttpOnly
< Cache-Control: no-store, no-cache
< Pragma: no-cache
< Content-Type: application/json;charset=ISO-8859-1
< Content-Length: 933
< Date: Mon, 05 Dec 2016 05:38:53 GMT
<
* Connection #0 to host localhost left intact
{
"access_token": "eyJraWQiOiJSOTJTQkhKQzFVNERBSU1HUTNNSE9HVk1YIiwic3R0IjoiYWNjZXNzIiwiYWxnIjoiSFMyNTYifQ...",
"refresh_token": "eyJraWQiOiJSOTJTQkhKQzFVNERBSU1HUTNNSE9HVk1YIiwic3R0IjoicmVmcmVzaCIsImFsZyI6IkhTMjU2In0...",
"token_type": "Bearer",
"expires_in": 3600
}
I hope this helps!
Full disclosure: I am one of Stormpath's Java Developer Evangelists