Spring boot + oauth2 : Full authentication is required to access this resource

The following changes fixed this issue for me when reading Spring Microservices in Action by John Carnell.

Changed the following property

application.yml

server:
  contextPath: /auth

To

server:
  servlet:
    context-path: /auth

And I've also added {noop} to every secret/password and now it works!

WebSecurityConfigurer.java

@Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("john.carnell").password("{noop}password1").roles("USER")
                .and()
                .withUser("william.woodward").password("{noop}password2").roles("USER", "ADMIN");
    }

OAuth2Config.java

@Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("eagleeye")
                .secret("{noop}thisissecret")
                .authorizedGrantTypes("refresh_token", "password", "client_credentials")
                .scopes("webclient", "mobileclient");
    }

I am using Spring Cloud Hoxton SR11


In your sample app when you run, you would have got the following exception

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"

In spring-security-core:5.0, the default PasswordEncoder is built as a DelegatingPasswordEncoder. Hence when you store the users in memory, you are providing the passwords in plain text and then when you are trying to retrieve the encoder from the DelegatingPasswordEncoder to validate the password it can't find one.

More details in this link Password Encoding

To address this , for a production implementation you should activate an instance of BCryptPasswordEncoder

For development, you can try out the following changes so that you can override password encoding by adding {noop} to the password value. This will treat the password by activating the NoOpPasswordEncoder instead of the default DelegatingPasswordEncoder and will treat your password as plain text.

OAuth2Config class

clients.inMemory()
            .withClient("eagleeye")
            .secret("{noop}thisissecret")
            .authorizedGrantTypes("refresh_token", "password", "client_credentials")
            .scopes("webclient", "mobileclient");

WebSecurityConfigurer class

 auth
                .inMemoryAuthentication()
                .withUser("john.carnell"). password("{noop}password1").roles("USER")
                .and()
                .withUser("william.woodward").password("{noop}password2").roles("USER", "ADMIN");

Now when you try from Postman, you would be able to generate token enter image description here

EDIT

Github project with a working demo here


I have same issue. the url is wrong, change to http://localhost:8080/oauth/token then it's OK. I got this sample from book which is giving the wrong url. just remove the "/auth"