I am using Spring Boot and authorization server,
This is my application.yml
security section:
security:
oauth2:
client:
provider:
auth0:
authorization-uri: http://localhost:5556/auth0/auth
token-uri: http://localhost:5556/auth0/token
jwk-set-uri: http://localhost:5556/auth0/keys
registration:
auth0:
client-id: sample-app
client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0
client-name: Sample App
scope: openid
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8085/callback
and this is my filter chain:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/callback").permitAll()
.anyRequest().authenticated()
.and()
.oauth2Login();
}
}
When I open my browser, type in one of my Spring Boot GET endpoints, I see login page asking for username/password. I type them in, press "Login" and see button "Grant access". I press it and see endpoint response. But subsequent requests to endpoints do not contain any bearer token. Shouldn't there be a token in the headers, once I authorize?
What is missing is the oAuthCheck in SecurityConfig
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login/oauth2/code/dex").permitAll()
.anyRequest().authenticated()
.and()
.oauth2Login()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
}
private JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
// Customize the converter if needed
return converter;
}
}