2

I have created a set of spring boot microservices having followed along roughly with the tutorial I found here. I've had success getting my project up and going without any attempt to secure the rest endpoint or the user interface. But eventually I need to secure everything using LDAP, and I will need to conditionally allow access to user interface sections based upon user roles. For the time being, without involving LDAP, I have tried roughly a score of tutorials on how to use in-memory authentication in conjunction with OAuth2 and I cannot understand what it is exactly that I need to do to make this go.

I have created a github repository that contains two branches. The first branch is called no-authentication which demonstrates a simplified version of my project before any attempt to add authentication is begun. The README describes the project makeup, but it is essentially a configuration server, a service registry, one rest resource with two endpoints that are not authenticated, and a user interface module that access the two endpoints.

The idea is that the first endpoint will eventually require one group membership ("USER"), and the other endpoint another group membership ("ADMIN"). But I haven't gotten so far yet.

The second branch is called oauth-server. This branch adds another spring boot module called oauth2-server, and that module contains the code that my user interface is forwarded to in order authenticate.

I am presented with a login page as I would hope, but when I enter valid credentials (user/user or admin/admin) I see an error on the page:

OAuth Error
error="invalid_grant", error_description="Invalid redirect: http://localhost:8084/authtest/login does not match one of the registered values."

I am totally new to this area, and I have been really just playing whack-a-mole with my various attempts to get this working. You can view the code directly, and you will need to be well versed in order to understand the setup. Here is roughly how the authentication is set up to work.

There ui that needs to be authenticated is called authentication-test-ui. Its configuration can be found in its resources/bootstrap.yml, and the rest of its configuration comes from the control-center/config-server module's classpath, the source located at resources/config-repo/authentication-test-ui.yml. This is the security config:

gateway-server: 'http://localhost:8901/authserver'

security:
  oauth2:
    client:
      client-id: ui
      client-secret: uisecret
      scope: ui
      access-token-uri: ${gateway-server}/oauth/token
      user-authorization-uri: ${gateway-server}/oauth/authorize
      pre-established-redirect-uri: http://localhost:8084/authtest
    resource:
      user-info-uri: ${gateway-server}/userInfo

The UI's application class is annotated with @EnableOAuth2Sso.

The authorization server is in the module services/oauth2-server. This is annotated with @EnableAuthorizationServer and follows a similar configuration pattern as the ui (has a bootstrap.yml in its own module and a yml on the config server). The code performs in-memory authentication like this:

   @Override
   public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
      clients.inMemory()
            .withClient("ui")
            .secret(passwordEncoder.encode("uisecret"))
            .authorizedGrantTypes("authorization_code", "implicit", "password", "client_credentials", "refresh_token")
            .scopes("ui")
            .redirectUris(
                  "http://localhost:8084/authtest"
            );
   }

And the security configuration looks like this:

   @Override
   protected void configure(HttpSecurity http) throws Exception {
      http
            .requestMatchers()
            .antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
            .and()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll();
   }

   @Override
   protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth
            .inMemoryAuthentication()
            .passwordEncoder(passwordEncoder())
            .withUser("admin").password(passwordEncoder().encode("admin")).roles("USER", "ADMIN")
            .and()
            .withUser("user").password(passwordEncoder().encode("user")).roles("USER");
   }

I most likely have not provided the right information to be able to understand the issue simply by looking at the snippets I've pasted, so looking at the project is probably the only way to fully get it.

If anyone can help me with this I would greatly appreciate it. I've been on this for nearly a week and feel like I can't be too far off the mark. I'm really looking for the simplest way to get authenticated.

Improve this question
2
  • i dont have time to help but here is some good videos to get a greater understanding of the concepts youtube.com/user/koushks/videos Commented Dec 27, 2019 at 4:05
  • Have you found the solution for this issue? I am stuck with same. Commented Dec 23, 2020 at 6:59

1 Answer 1

Reset to default
1

You configured redirect uri as http://localhost:8084/authtest but while calling you specified redirect uri as http://localhost:8084/authtest/login so it is failing.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.