Error when vaildating access token in Spring boot

justatest · April 29, 2019, 8:57am

We are creating a Angular front end application with a implicit login, that will eventually receive a access so that you can send the access token to the Spring backend and access various endpoints.

The frontend is working poperly and we have done all the setup, the problem comes to the backend.
When we send in the access token to the spring application to get the Principal information from the access token the request never gets through, all we get is a invalid access token return.

This is our dependencies in Spring boot 2.1.4

  	<dependency>
			<groupId>com.okta.spring</groupId>
			<artifactId>okta-spring-boot-starter</artifactId>
			<version>1.1.0</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security.oauth.boot</groupId>
			<artifactId>spring-security-oauth2-autoconfigure</artifactId>
			<version>2.1.4.RELEASE</version>
		</dependency>

We are also using .oauth2ResourceServer().jwt(); to extract the jwt token.
Does anyone know why this is happening because I have searched for a similar error that i can’t find.

The response from Spring aplication

{
“error”: “invalid_token”,
“error_description”: "Invalid access token: {tokenvalue}
}

mraible · April 29, 2019, 2:21pm

First of all, you don’t need spring-security-oauth2-autoconfigure when using Spring Boot 2.1.4 and v1.1.0 of our starter. That might be your issue. Can you try removing it?

justatest · April 29, 2019, 2:47pm

If I remove the autoconfigure i do not have access to @EnableResourceServer annotation, and if that is not available I will get a 404 on the endpoint I am calling.

If I add it with the spring security dependency I will still get 401 and the same error message.

Is this myabe a Jersey issue? All my endpoints are Jax-rs annotated. I think this maybe needs some pre authorization with jersey?

mraible · April 29, 2019, 3:30pm

Using @EnableResourceServer is deprecated in Spring Boot 2.1. You now configure a resource server using Spring Security’s config. From our starter’s README:

@RestController
@SpringBootApplication
public class ExampleApplication {

    public static void main(String[] args) {
        SpringApplication.run(ExampleApplication.class, args);
    }

    @GetMapping("/hello-oauth")
    public String sayHello(Principal principal) {
        return "Hello, " + principal.getName();
    }
    
    @Configuration
    static class OktaOAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests().anyRequest().authenticated()
                .and()
                .oauth2ResourceServer().jwt();
        }
    }
}

justatest · May 2, 2019, 7:50am

Thank you for the answer but that did not solve it, we ran with Spring’s RestController and using our endpoints with Spring owns library. Now everything is working fine, this was not a issue at all for us since it’s very similar to Jersey and we have been working with both of them anyway.

system · January 17, 2024, 11:28pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.