Spring boot + oauth2 : Full authentication is required to access this resource
The following changes fixed this issue for me when reading Spring Microservices in Action by John Carnell.
Changed the following property
application.yml
server:
contextPath: /auth
To
server:
servlet:
context-path: /auth
And I've also added {noop} to every secret/password and now it works!
WebSecurityConfigurer.java
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("john.carnell").password("{noop}password1").roles("USER")
.and()
.withUser("william.woodward").password("{noop}password2").roles("USER", "ADMIN");
}
OAuth2Config.java
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("eagleeye")
.secret("{noop}thisissecret")
.authorizedGrantTypes("refresh_token", "password", "client_credentials")
.scopes("webclient", "mobileclient");
}
I am using Spring Cloud Hoxton SR11
In your sample app when you run, you would have got the following exception
java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"
In spring-security-core:5.0, the default PasswordEncoder is built as a DelegatingPasswordEncoder. Hence when you store the users in memory, you are providing the passwords in plain text and then when you are trying to retrieve the encoder from the DelegatingPasswordEncoder to validate the password it can't find one.
More details in this link Password Encoding
To address this , for a production implementation you should activate an instance of BCryptPasswordEncoder
For development, you can try out the following changes so that you can override password encoding by adding {noop}
to the password value. This will treat the password by activating the NoOpPasswordEncoder
instead of the default DelegatingPasswordEncoder
and will treat your password as plain text.
OAuth2Config class
clients.inMemory()
.withClient("eagleeye")
.secret("{noop}thisissecret")
.authorizedGrantTypes("refresh_token", "password", "client_credentials")
.scopes("webclient", "mobileclient");
WebSecurityConfigurer class
auth
.inMemoryAuthentication()
.withUser("john.carnell"). password("{noop}password1").roles("USER")
.and()
.withUser("william.woodward").password("{noop}password2").roles("USER", "ADMIN");
Now when you try from Postman, you would be able to generate token
EDIT
Github project with a working demo here
I have same issue. the url is wrong, change to http://localhost:8080/oauth/token then it's OK. I got this sample from book which is giving the wrong url. just remove the "/auth"