Invalid token / Invalid Signature

Hi,

While trying to follow exactly this exercise : https://developer.okta.com/blog/2017/10/27/secure-spa-spring-boot-oauth, I hit a snag.

I see in the Chrome Debugger that the SPA is able to fan out a call to :

{
  "baseUrl": "https://dev-845131.oktapreview.com",
  "clientId":"0oaebkj7dbOzkEQPs0h7",
  "authParams": {
    "issuer":"https://dev-845131.oktapreview.com/oauth2/default"
  }
}

and response from OKTA is :

{
  "expiresAt": "2018-03-15T07:08:05.000Z",
  "status": "SUCCESS",
  "sessionToken": "{hidden-session-token}",
  "_embedded": {
    "user": {
      "id": "00uebok08165r7hDb0h7",
      "passwordChanged": "2018-03-15T05:13:31.000Z",
      "profile": {
        "login": "raman2072@gmail.com",
        "firstName": "Seetharaman",
        "lastName": "Narayanan",
        "locale": "en",
        "timeZone": "America/Los_Angeles"
      }
    }
  }
}

and the call to protected resource with the token results in :

{
  "error": "invalid_token",
  "error_description": "Invalid access token: eyJraWQiOiJxUnRROGFKMGNxN19QTHVzdFN3V2tzLUE2QWhUZ3NuMW9QSy1xRXp1azdZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULk9Jc2s0c3BZVkFMYU1UU2RYbXFtZFAtQ3BWelpNRzVTYjVfNGtKTzNSRk0iLCJpc3MiOiJodHRwczovL2Rldi04NDUxMzEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUyMTA5NzM4NSwiZXhwIjoxNTIxMTAwOTg1LCJjaWQiOiIwb2FlYmtqN2RiT3prRVFQczBoNyIsInVpZCI6IjAwdWVib2swODE2NXI3aERiMGg3Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCJdLCJzdWIiOiJyYW1hbjIwNzJAZ21haWwuY29tIn0.bhIL6amt9KIYhoh0fh2y9yMGxxlg3eW9pxXlopuu6MmmrC5hJIoVj7UXTwy0TTHrlinAIpbFKiOgYOt-CMyop91CABiceJbl451rt1Bw814SFMpAru6M8jB_JxVdINhIuXDQfXG_Wg54exX4KVZOOeJ5CfUvY4vSxFqgj5rLHzIBBkdr_F4rRdZ5Ltq457thJX_0j1B8ETH3v1O1nwHvyhrIBvvaeTdioimuXjN7egba18xTIwfBSwX00Ic50qP9RTTwlW0pCFYF3qcaFWlmSRnh_tuJb2G8qG_QEnCgiNH5r24IbQnfXOAMOpWHYw1KAquGDGBN7ukNGp3xQ0k4tw"
}

Here is my application.yaml

okta:
 oauth2:
   clientId: 0oaebkj7dbOzkEQPs0h7
   issuer: https://dev-845131.oktapreview.com/oauth2/default

So why is Spring-Security crying that the token sent by OKTA is invalid token because of invalid signature?

So please help me resolve this issue.

Much gratitude in advance
Seetha

[edit by bdemers - formatted code blocks]
Note: avoid sharing access tokens, this one is expired so I left it in.

Everything looks fine at first glance.

Can you paste in the rest of your console log?

OK Here we go:

A call to https://dev-845131.oktapreview.com/api/v1/authn results in success

{expiresAt: “2018-03-15T14:39:38.000Z”, status: “SUCCESS”,…}
expiresAt
:
“2018-03-15T14:39:38.000Z”
sessionToken
:
“20111zGRR-Y6g91M_eWGV38N93uVGF3Zo8lLNoLg7-Jyt7RHyJvXYBz”
status
:
“SUCCESS”
_embedded
:
{user: {id: “00uebok08165r7hDb0h7”, passwordChanged: “2018-03-15T05:13:31.000Z”,…}}

Subsequent call to http://localhost:8080/mod with this access token results in spring security interceptors crying…

{error: “invalid_token”,…}
error
:
“invalid_token”
error_description
:
“Invalid access token: eyJraWQiOiJxUnRROGFKMGNxN19QTHVzdFN3V2tzLUE2QWhUZ3NuMW9QSy1xRXp1azdZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkxPSlp3cGktajBlbG9KTWpGQ1NqUE9vRjdUdEZvaU9sTGNzcFpvX0VzNE0iLCJpc3MiOiJodHRwczovL2Rldi04NDUxMzEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUyMTEyNDQ3OSwiZXhwIjoxNTIxMTI4MDc5LCJjaWQiOiIwb2FlYmtqN2RiT3prRVFQczBoNyIsInVpZCI6IjAwdWVib2swODE2NXI3aERiMGg3Iiwic2NwIjpbImVtYWlsIiwib3BlbmlkIiwicHJvZmlsZSJdLCJzdWIiOiJyYW1hbjIwNzJAZ21haWwuY29tIn0.FxMIIjThbmxpyItr0XVMDPSxQWVnNZGnMNXtQ1yzMygaVM6C2lDkxMm9mn5z1YDmeVBbRwSqIB3HsOuOzB6zAYfvJRJYI2R02qTDWpGJeoVqstBfQETMs_QRx_rnYEdI8d0Njhz3xuWz_CvCbk6LyJAnEMJ0Dmk0gnxfr2ZanrqBYRnZq_8PBl-Cx3vLpkrXbVotu8WuJBvvxNnBdeot_0LVQcpbSv6XjklQxZel2L4VCLU7g947NSU5tD-uenUuVc4v6Gu0CGX4c4JZrTJ4iQnCN5Rfk9Hty1Q0QwAZt_srJL5SIShu-qNyxT6pK0i4r3PSNq87GAj83vbhYOODBA”

Sorry, I meant your Spring app’s console log.

Here we go! I couldn’t get much from SpringBoot console logs either, except confirming the hapless crying of Spring Security filters.

08:13:09.731 [main] DEBUG org.springframework.boot.devtools.settings.DevToolsSettings - Included patterns for restart : []
08:13:09.749 [main] DEBUG org.springframework.boot.devtools.settings.DevToolsSettings - Excluded patterns for restart : [/spring-boot-starter/target/classes/, /spring-boot-autoconfigure/target/classes/, /spring-boot-starter-[\w-]+/, /spring-boot/target/classes/, /spring-boot-actuator/target/classes/, /spring-boot-devtools/target/classes/]
08:13:09.750 [main] DEBUG org.springframework.boot.devtools.restart.ChangeableUrls - Matching URLs for reloading : [file:/home/ramesh/software/workspace-sts-3.9.2.RELEASE/oauth-implicit-example/target/classes/]

. ____ _ __ _ _
/\ / __ _ () __ __ _ \ \ \
( ( )_
_ | '_ | '| | ’ / ` | \ \ \
\/ )| |)| | | | | || (| | ) ) ) )
’ |
| .__|| ||| |_, | / / / /
=========|
|==============|/=////
:: Spring Boot :: (v2.0.0.RELEASE)

2018-03-15 08:13:15.729 DEBUG 6608 — [ restartedMain] eGlobalAuthenticationAutowiredConfigurer : Eagerly initializing {org.springframework.boot.autoconfigure.security.servlet.WebSecurityEnablerConfiguration=org.springframework.boot.autoconfigure.security.servlet.WebSecurityEnablerConfiguration$$EnhancerBySpringCGLIB$$c96d53d9@18198b98}
2018-03-15 08:13:16.237 DEBUG 6608 — [ restartedMain] edFilterInvocationSecurityMetadataSource : Adding web access control expression ‘permitAll’, for Ant [pattern=’/’]
2018-03-15 08:13:16.239 DEBUG 6608 — [ restartedMain] edFilterInvocationSecurityMetadataSource : Adding web access control expression ‘permitAll’, for Ant [pattern=’/index.html’]
2018-03-15 08:13:16.239 DEBUG 6608 — [ restartedMain] edFilterInvocationSecurityMetadataSource : Adding web access control expression ‘permitAll’, for Ant [pattern=’/sign-in-widget-config’]
2018-03-15 08:13:16.240 DEBUG 6608 — [ restartedMain] edFilterInvocationSecurityMetadataSource : Adding web access control expression ‘authenticated’, for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-03-15 08:13:16.247 DEBUG 6608 — [ restartedMain] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
2018-03-15 08:13:16.248 DEBUG 6608 — [ restartedMain] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
2018-03-15 08:13:16.253 INFO 6608 — [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2f9f435b, org.springframework.security.web.context.SecurityContextPersistenceFilter@319bf8dd, org.springframework.security.web.header.HeaderWriterFilter@334aa486, org.springframework.security.web.authentication.logout.LogoutFilter@75d24061, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@64f747c6, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1d4c2b2c, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@785d882, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@606ed0e4, org.springframework.security.web.session.SessionManagementFilter@397e39fc, org.springframework.security.web.access.ExceptionTranslationFilter@ea8a875, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@2a2b48d4]
2018-03-15 08:13:33.936 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 1 of 11 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
2018-03-15 08:13:33.937 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 2 of 11 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2018-03-15 08:13:33.939 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 3 of 11 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
2018-03-15 08:13:33.940 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 4 of 11 in additional filter chain; firing Filter: ‘LogoutFilter’
2018-03-15 08:13:33.940 DEBUG 6608 — [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, GET]
2018-03-15 08:13:33.940 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/logout’
2018-03-15 08:13:33.941 DEBUG 6608 — [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, POST]
2018-03-15 08:13:33.941 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /’ doesn’t match ‘POST /logout
2018-03-15 08:13:33.941 DEBUG 6608 — [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, PUT]
2018-03-15 08:13:33.941 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /’ doesn’t match ‘PUT /logout
2018-03-15 08:13:33.941 DEBUG 6608 — [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, DELETE]
2018-03-15 08:13:33.942 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /’ doesn’t match ‘DELETE /logout
2018-03-15 08:13:33.942 DEBUG 6608 — [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-03-15 08:13:33.943 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 5 of 11 in additional filter chain; firing Filter: ‘OAuth2AuthenticationProcessingFilter’
2018-03-15 08:13:33.943 DEBUG 6608 — [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2018-03-15 08:13:33.943 DEBUG 6608 — [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2018-03-15 08:13:33.943 DEBUG 6608 — [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2018-03-15 08:13:33.943 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 6 of 11 in additional filter chain; firing Filter: ‘RequestCacheAwareFilter’
2018-03-15 08:13:33.943 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 7 of 11 in additional filter chain; firing Filter: ‘SecurityContextHolderAwareRequestFilter’
2018-03-15 08:13:33.944 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 8 of 11 in additional filter chain; firing Filter: ‘AnonymousAuthenticationFilter’
2018-03-15 08:13:33.945 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: ‘org.springframework.security.authentication.AnonymousAuthenticationToken@689d1afc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS’
2018-03-15 08:13:33.946 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 9 of 11 in additional filter chain; firing Filter: ‘SessionManagementFilter’
2018-03-15 08:13:33.946 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 10 of 11 in additional filter chain; firing Filter: ‘ExceptionTranslationFilter’
2018-03-15 08:13:33.946 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 11 of 11 in additional filter chain; firing Filter: ‘FilterSecurityInterceptor’
2018-03-15 08:13:33.946 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/’
2018-03-15 08:13:33.947 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [#oauth2.throwOnError(permitAll)]
2018-03-15 08:13:33.947 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@689d1afc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-03-15 08:13:33.954 DEBUG 6608 — [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4e43dada, returned: 1
2018-03-15 08:13:33.955 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2018-03-15 08:13:33.955 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2018-03-15 08:13:33.955 DEBUG 6608 — [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / reached end of additional filter chain; proceeding with original chain
2018-03-15 08:13:33.987 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@72bdc039
2018-03-15 08:13:34.015 DEBUG 6608 — [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2018-03-15 08:13:34.016 DEBUG 6608 — [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-03-15 08:13:34.205 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 1 of 11 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
2018-03-15 08:13:34.205 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 2 of 11 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 3 of 11 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 4 of 11 in additional filter chain; firing Filter: ‘LogoutFilter’
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, GET]
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/sign-in-widget-config’; against ‘/logout’
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, POST]
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /sign-in-widget-config’ doesn’t match ‘POST /logout
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, PUT]
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /sign-in-widget-config’ doesn’t match ‘PUT /logout
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, DELETE]
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /sign-in-widget-config’ doesn’t match ‘DELETE /logout
2018-03-15 08:13:34.206 DEBUG 6608 — [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 5 of 11 in additional filter chain; firing Filter: ‘OAuth2AuthenticationProcessingFilter’
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 6 of 11 in additional filter chain; firing Filter: ‘RequestCacheAwareFilter’
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 7 of 11 in additional filter chain; firing Filter: ‘SecurityContextHolderAwareRequestFilter’
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 8 of 11 in additional filter chain; firing Filter: ‘AnonymousAuthenticationFilter’
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: ‘org.springframework.security.authentication.AnonymousAuthenticationToken@689d1afc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS’
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 9 of 11 in additional filter chain; firing Filter: ‘SessionManagementFilter’
2018-03-15 08:13:34.211 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 10 of 11 in additional filter chain; firing Filter: ‘ExceptionTranslationFilter’
2018-03-15 08:13:34.212 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config at position 11 of 11 in additional filter chain; firing Filter: ‘FilterSecurityInterceptor’
2018-03-15 08:13:34.212 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/sign-in-widget-config’; against ‘/’
2018-03-15 08:13:34.212 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/sign-in-widget-config’; against ‘/index.html’
2018-03-15 08:13:34.212 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/sign-in-widget-config’; against ‘/sign-in-widget-config’
2018-03-15 08:13:34.212 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /sign-in-widget-config; Attributes: [#oauth2.throwOnError(permitAll)]
2018-03-15 08:13:34.212 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@689d1afc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-03-15 08:13:34.214 DEBUG 6608 — [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4e43dada, returned: 1
2018-03-15 08:13:34.214 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2018-03-15 08:13:34.214 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2018-03-15 08:13:34.214 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config reached end of additional filter chain; proceeding with original chain
2018-03-15 08:13:34.299 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@72bdc039
2018-03-15 08:13:34.302 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2018-03-15 08:13:34.302 DEBUG 6608 — [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-03-15 08:13:37.913 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 1 of 11 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 2 of 11 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 3 of 11 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 4 of 11 in additional filter chain; firing Filter: ‘LogoutFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, GET]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/mod’; against ‘/logout’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, POST]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /mod’ doesn’t match ‘POST /logout
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, PUT]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /mod’ doesn’t match ‘PUT /logout
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, DELETE]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /mod’ doesn’t match 'DELETE /logout
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 5 of 11 in additional filter chain; firing Filter: ‘OAuth2AuthenticationProcessingFilter’
2018-03-15 08:13:37.921 DEBUG 6608 — [nio-8080-exec-3] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error=“invalid_token”, error_description=“Invalid access token: eyJraWQiOiJxUnRROGFKMGNxN19QTHVzdFN3V2tzLUE2QWhUZ3NuMW9QSy1xRXp1azdZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlRHaTdCbDJjeUZDdUFUZUxKZ1VnTURHSkJsSUlXN0ZQVFV2SUFYdUc4bkUiLCJpc3MiOiJodHRwczovL2Rldi04NDUxMzEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUyMTEyNjgxNywiZXhwIjoxNTIxMTMwNDE3LCJjaWQiOiIwb2FlYmtqN2RiT3prRVFQczBoNyIsInVpZCI6IjAwdWVib2swODE2NXI3aERiMGg3Iiwic2NwIjpbImVtYWlsIiwib3BlbmlkIiwicHJvZmlsZSJdLCJzdWIiOiJyYW1hbjIwNzJAZ21haWwuY29tIn0.XDWjyQPra_lxyQylKszFbCNa-vxFH6wyH9YD99PSDEtIimHt6g9O3YZ69dQNKcv8I3MupO6pTm3PK6W3Yf7TehTt7IHy4w3htFC5jhvTN402-nMHE_G9KvGCj_S0Ll1gfeqE_FJIt0_3ilyHuSsIamBDefneC-SFcVce4fqxIJ9EK2PqWJ0pF_f3hVJXCumVIe_B4fs32qOMO1BCjZ-iB2GJvEmEiatV4A77UQH_OuidupHkSvN-BHttlJW1oqGtRwwY6q3wyhqdcGhceSJ7BNqx58fw9WKeVgX3M2N-A6zAiGLGv_-er9VkPgGmMYVY9Y_pXqCh7utHtJBtaoopIQ”
2018-03-15 08:13:37.956 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@72bdc039
2018-03-15 08:13:37.961 DEBUG 6608 — [nio-8080-exec-3] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error=“invalid_token”, error_description=“Invalid access token: eyJraWQiOiJxUnRROGFKMGNxN19QTHVzdFN3V2tzLUE2QWhUZ3NuMW9QSy1xRXp1azdZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlRHaTdCbDJjeUZDdUFUZUxKZ1VnTURHSkJsSUlXN0ZQVFV2SUFYdUc4bkUiLCJpc3MiOiJodHRwczovL2Rldi04NDUxMzEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUyMTEyNjgxNywiZXhwIjoxNTIxMTMwNDE3LCJjaWQiOiIwb2FlYmtqN2RiT3prRVFQczBoNyIsInVpZCI6IjAwdWVib2swODE2NXI3aERiMGg3Iiwic2NwIjpbImVtYWlsIiwib3BlbmlkIiwicHJvZmlsZSJdLCJzdWIiOiJyYW1hbjIwNzJAZ21haWwuY29tIn0.XDWjyQPra_lxyQylKszFbCNa-vxFH6wyH9YD99PSDEtIimHt6g9O3YZ69dQNKcv8I3MupO6pTm3PK6W3Yf7TehTt7IHy4w3htFC5jhvTN402-nMHE_G9KvGCj_S0Ll1gfeqE_FJIt0_3ilyHuSsIamBDefneC-SFcVce4fqxIJ9EK2PqWJ0pF_f3hVJXCumVIe_B4fs32qOMO1BCjZ-iB2GJvEmEiatV4A77UQH_OuidupHkSvN-BHttlJW1oqGtRwwY6q3wyhqdcGhceSJ7BNqx58fw9WKeVgX3M2N-A6zAiGLGv_-er9VkPgGmMYVY9Y_pXqCh7utHtJBtaoopIQ”] as “application/json;charset=UTF-8” using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@15ab67e8]
2018-03-15 08:13:37.961 DEBUG 6608 — [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

2018-03-15 08:13:34.214 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2018-03-15 08:13:34.214 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2018-03-15 08:13:34.214 DEBUG 6608 — [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /sign-in-widget-config reached end of additional filter chain; proceeding with original chain
2018-03-15 08:13:34.299 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@72bdc039
2018-03-15 08:13:34.302 DEBUG 6608 — [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2018-03-15 08:13:34.302 DEBUG 6608 — [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-03-15 08:13:37.913 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 1 of 11 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 2 of 11 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 3 of 11 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 4 of 11 in additional filter chain; firing Filter: ‘LogoutFilter’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, GET]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/mod’; against ‘/logout’
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, POST]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /mod’ doesn’t match ‘POST /logout
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, PUT]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /mod’ doesn’t match ‘PUT /logout
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern=’/logout’, DELETE]
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /mod’ doesn’t match 'DELETE /logout
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-03-15 08:13:37.914 DEBUG 6608 — [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /mod at position 5 of 11 in additional filter chain; firing Filter: ‘OAuth2AuthenticationProcessingFilter’
2018-03-15 08:13:37.921 DEBUG 6608 — [nio-8080-exec-3] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error=“invalid_token”, error_description=“Invalid access token: eyJraWQiOiJxUnRROGFKMGNxN19QTHVzdFN3V2tzLUE2QWhUZ3NuMW9QSy1xRXp1azdZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlRHaTdCbDJjeUZDdUFUZUxKZ1VnTURHSkJsSUlXN0ZQVFV2SUFYdUc4bkUiLCJpc3MiOiJodHRwczovL2Rldi04NDUxMzEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUyMTEyNjgxNywiZXhwIjoxNTIxMTMwNDE3LCJjaWQiOiIwb2FlYmtqN2RiT3prRVFQczBoNyIsInVpZCI6IjAwdWVib2swODE2NXI3aERiMGg3Iiwic2NwIjpbImVtYWlsIiwib3BlbmlkIiwicHJvZmlsZSJdLCJzdWIiOiJyYW1hbjIwNzJAZ21haWwuY29tIn0.XDWjyQPra_lxyQylKszFbCNa-vxFH6wyH9YD99PSDEtIimHt6g9O3YZ69dQNKcv8I3MupO6pTm3PK6W3Yf7TehTt7IHy4w3htFC5jhvTN402-nMHE_G9KvGCj_S0Ll1gfeqE_FJIt0_3ilyHuSsIamBDefneC-SFcVce4fqxIJ9EK2PqWJ0pF_f3hVJXCumVIe_B4fs32qOMO1BCjZ-iB2GJvEmEiatV4A77UQH_OuidupHkSvN-BHttlJW1oqGtRwwY6q3wyhqdcGhceSJ7BNqx58fw9WKeVgX3M2N-A6zAiGLGv_-er9VkPgGmMYVY9Y_pXqCh7utHtJBtaoopIQ”
2018-03-15 08:13:37.956 DEBUG 6608 — [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@72bdc039
2018-03-15 08:13:37.961 DEBUG 6608 — [nio-8080-exec-3] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error=“invalid_token”, error_description=“Invalid access token: eyJraWQiOiJxUnRROGFKMGNxN19QTHVzdFN3V2tzLUE2QWhUZ3NuMW9QSy1xRXp1azdZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlRHaTdCbDJjeUZDdUFUZUxKZ1VnTURHSkJsSUlXN0ZQVFV2SUFYdUc4bkUiLCJpc3MiOiJodHRwczovL2Rldi04NDUxMzEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUyMTEyNjgxNywiZXhwIjoxNTIxMTMwNDE3LCJjaWQiOiIwb2FlYmtqN2RiT3prRVFQczBoNyIsInVpZCI6IjAwdWVib2swODE2NXI3aERiMGg3Iiwic2NwIjpbImVtYWlsIiwib3BlbmlkIiwicHJvZmlsZSJdLCJzdWIiOiJyYW1hbjIwNzJAZ21haWwuY29tIn0.XDWjyQPra_lxyQylKszFbCNa-vxFH6wyH9YD99PSDEtIimHt6g9O3YZ69dQNKcv8I3MupO6pTm3PK6W3Yf7TehTt7IHy4w3htFC5jhvTN402-nMHE_G9KvGCj_S0Ll1gfeqE_FJIt0_3ilyHuSsIamBDefneC-SFcVce4fqxIJ9EK2PqWJ0pF_f3hVJXCumVIe_B4fs32qOMO1BCjZ-iB2GJvEmEiatV4A77UQH_OuidupHkSvN-BHttlJW1oqGtRwwY6q3wyhqdcGhceSJ7BNqx58fw9WKeVgX3M2N-A6zAiGLGv_-er9VkPgGmMYVY9Y_pXqCh7utHtJBtaoopIQ”] as “application/json;charset=UTF-8” using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@15ab67e8]
2018-03-15 08:13:37.961 DEBUG 6608 — [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

System Akismet is blocking my replies…

1 Like

I see now, switch to Spring boot 1.5.x and you should be all set. I’ll update that blog post with a note about this.

Keep us posted!

Yeah, when I hit this snag, the very first thing I did was bump down the SpringBoot version to 1.5.9 and restarted it, but to no avail as it was crying with the same Invalid token.

I presume, this has to do with the token itself. Because when I tried the token (sent from the okta dev auth endpoint,) with the JWT debugger, it also complained the same -> Invalid Token/Invalid Signature.

–Seetha

I don’t see anything wrong with the token (yet). It has the right issuer and client ID.

Long shot: can you double check that your system time is synced up with an internet time server? If your clock is way off it will cause token validation to fail.

I checked my system time and it is perfect the way it is supposed to be.

My doubts are still with the token. Yes, the issuer, the subject, the claims all seems to be OK, yet the JWT debugger is claiming that the token has invalid signature. I really don’t know why even the JWT is crying, and this explains why the Spring Security filters are crying as well.

So can you please paste this token in a JWT debugger and see it for yourself?
eyJraWQiOiJxUnRROGFKMGNxN19QTHVzdFN3V2tzLUE2QWhUZ3NuMW9QSy1xRXp1azdZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnkxT2ViTk5ILWZidEc2TmNHcms3NnZocVE2Ui14dE1ydld0ZGJ1eWxjQTQiLCJpc3MiOiJodHRwczovL2Rldi04NDUxMzEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUyMTIyNjAyNCwiZXhwIjoxNTIxMjI5NjI0LCJjaWQiOiIwb2FlYmtqN2RiT3prRVFQczBoNyIsInVpZCI6IjAwdWVib2swODE2NXI3aERiMGg3Iiwic2NwIjpbInByb2ZpbGUiLCJvcGVuaWQiLCJlbWFpbCJdLCJzdWIiOiJyYW1hbjIwNzJAZ21haWwuY29tIn0.F-_7H3sLzCGG51e6ilv5Ml8mDI_uRg27_p71I8FQsNi_rzR2YyczGRLKhlmVmaomk5_jOTwoJihZLpYlpDxvOibz-gIVid7PSjbFYzBQcpOPM2KestkBJ6fL0j4D0h2N7SVH2Q4GK9lDA1mQS8gn0fPjiONrUrmLcllHeRwMVAVadiRCysL6uKMUXlPLl3oyBghUWz2X6EhjfJ23FAfnXEHNI5QiadQdnzfXSHZz34DZr09Pbj5HihyXG_sGEImh8aE_L42a5VWJ3Lsk5NePZ0T8bt91O0GuOLm3TwsX2TXsgHs-wuVz5wyoyhurbATE6ed40FSy87Zt0i1iEDKxyQ

–Seetha

The JWT debugger will always say “invalid signature” unless you enter a valid secret key. In fact, the debugger doesn’t currently support asymmetric signatures, which is what this token uses. So don’t pay too much attention to it in this case :slight_smile:

The Spring logs say the token is invalid but they don’t say why. @bdemers is there a way to change the log level to get more trace info? It would be helpful to understand why Spring Security thinks this token is invalid.

@nate.barbettini good idea with the time sync.

@raman2072 you can turn up the logging in your application.properties (or yaml) file:

logging:
  level:
    root: DEBUG

Do you have any yaml files in ~/.okta/?

1 Like

If you see, by default SpringBoot does NOT log the security filters logs, so I had to turn this on explicitly and ONLY then I could have given you the spring security filters log in the first place. But the logs do not help at all, at least for me. At this point of time, I have given up and I was wondering how the same code/instructions worked for you and others except me!

okta:
oauth2:
clientId: 0oaebkj7dbOzkEQPs0h7
issuer: https://dev-845131.oktapreview.com/oauth2/default

logging:
level:
root: ERROR
org.springframework.security: DEBUG

Hey @raman2072 - can you create a test user on your org and share the login here (or over a private message)? I’ll try getting a token from your org to see if I can replicate the issue.