312 questions
-1
votes
0
answers
89
views
ID Token doesn't contain SID claim if I have multiple instance of Spring Authorization Server
I have 2 instances of Spring Authorization Server (SAS), running locally behind nginx. My SAS is using:
Spring Session JDBC to save session to oracle db
JdbcOauth2AuthorizationService to save ...
0
votes
1
answer
438
views
Spring Authorization Server OAuth2AuthorizationServerConfigurer.authorizationServer() method not found
I am new to spring security. I have been looking to build an authorization server and I have went through a couple of documentations. I saw that all of them have used something like:
...
0
votes
0
answers
85
views
How to setup Spring Authorization Server, Spring Cloud Gateway MVC and OAuth2 Resource Server?
I am working on an application to better understand the Spring Security and microservcies architecture.
I have setup:
Spring Authorization Server
Spring Cloud Gateway MVC
OAuth2 Resource Server
...
0
votes
0
answers
34
views
Spring authorization server get access token fail
I am running a spring security oauth2 authorization server 1.5.3.
I use postman to get an access token. Following is my request body in post man:
I have double-checked the parameters, they seem OK, ...
- 1
-1
votes
1
answer
162
views
Spring Authorization Server – /login keeps returning 403 instead of showing login page [closed]
I am learning Spring Authorization Server and trying to build a simple OAuth2 Authorization Server without OpenID Connect.
i want to handle the login page myself inside the same Authorization Server ...
- 120
Best practices
0
votes
1
replies
56
views
SpringC loud Gateway and Spring Authorisation Server Common Session storage
I have a Spring Authorisation Server as my OAuth2-OpenID Connect authentication server running with multiple instances on a cluster. It uses Spring Session Redis for managing distributed sessions. ...
0
votes
0
answers
121
views
How to implement non-plain-text password transmission in Spring Authorization Server 1.4.3 (password grant extension)
I’m using Spring Authorization Server 1.4.3 to build an authentication center.
I’ve extended the authorization server to support the password grant type, so clients can obtain access tokens via the /...
- 181
0
votes
0
answers
73
views
how to save the client-id from request cache when a user is redirected to the spring authorization server?
I have implemented or extended on top of Spring Authorization server. I have a authentication controller that accesses the client-id from the RequestCache object.
Now, I have built a sample OAuth app ...
- 1,430
0
votes
0
answers
53
views
Does Spring Authorization supports FAPI 2.0
I'm trying to do a PoC on FAPI 2.0 for which I want to have an authorization server that supports FAPI2.0 along with the control over IDP integration, user database, OIDC provider and onboarding third ...
- 4,048
0
votes
0
answers
84
views
Spring OAuth2 login page doesn’t load correctly when accessed through Gateway
I’m using a Spring OAuth2 Authorization Server with a Gateway in front of it.
When I access the login page directly via http://localhost:9999 (the OAuth2 server port), everything works: the CSS loads ...
0
votes
1
answer
162
views
Spring OAuth2 Authorization Server: IllegalArgumentException when deserializing custom User class after consent approval
I'm trying to set up a Spring Authorization Server for learning purposes. The login and consent screens work, but after I approve the consent screen and submit the /authorize request, I get the ...
- 65
0
votes
1
answer
119
views
Where should roles and missions/ACLs be managed when building an authorization server?
I’m trying to build my own Spring Authorization Server (for learning purposes and possibly to use across multiple projects in the future).
I’m already familiar with Spring Security and resource server ...
- 65
0
votes
0
answers
107
views
Avoid uri='UNKNOWN' for OAuth endpoints in Spring Authorization Server
I'm using Spring Authorization Server together with Spring Boot Actuator and Micrometer Prometheus integration.
For metrics like http_server_requests_seconds_count, I’m seeing many uri="UNKNOWN&...
0
votes
0
answers
113
views
Oauth2 Logout fails when the token is refreshed using the refresh token. message: Logout request failed: [invalid_token] id_token_hint
alright gpt did not help with this one. so my problem is that logout fails when the token has been refreshed using the refresh token. spring auth server says id_token_hint has expired because it's ...
- 2,320
0
votes
0
answers
47
views
Best way to extend RegisteredClient to support a custom field (app_id) in dynamic client registration?
I'm using Spring Authorization Server with JDBC and dynamic client registration.
I want to extend RegisteredClient to support a custom field called app_id. This value is provided in the dynamic ...
- 39
0
votes
1
answer
152
views
Spring Authorization Server ~ How to unregister default AuthenticationProviders
I am trying to implement OAuth2 authentication for an App in a Spring Boot backend using Spring Authorization Server. My problem is that I have custom logic that uses its own AuthenticationProviders, ...
- 2,590
0
votes
0
answers
35
views
Spring Authorization Server - Authorizing Requests Using Established Spring Security Functionalities Not Possible?
I am trying to use Spring Authorization Server as such:
My application is providing a OIDC Provider endpoint such that it works as an authorization server for third parties (e.g. Zitadel)
But only ...
- 1
1
vote
1
answer
92
views
How to log client information upon successful client credentials flow is performed in Spring Boot Authorization Server
I want to log RegisteredClient.clientId, RegisteredClient.clientName when it performs successful client credentials flow. How can I achieve this?
Current Behavior
I checked logs (with TRACE level) ...
- 4,450
-1
votes
1
answer
72
views
Can't set Allow Origin Header on response header
i'm learing to Spring oauth2 Client and Spring authorization server and I faced such a problem that I can not set the header on the redirect request from the gateway to the authorization server.
Cors ...
2
votes
1
answer
403
views
Spring OAuth2AuthorizationService implementations persist JWT access tokens
I recently began developing an OAuth/OIC identity provider with Spring Boot 3, Spring Security 6, and Spring Authorization Server. I'm new to OAuth but have some experience with session-based web ...
- 35
1
vote
0
answers
190
views
OAuth2 Token Revocation Endpoint
I'm trying to write my custom OAuth2 Token Revocation Endpoint as explained here but I'm facing an issue.
Inside my custom .errorResponseHandler(errorResponseHandler) I want to catch and handle the ...
- 198
0
votes
0
answers
59
views
Trying to deploy Spring Authentication Service to Azure
I am working on a new micro-service design that I hope to deploy to Azure. I would like to have a Spring Authorization Server that handles all authentication and authorization users against our Azure ...
- 5,205
0
votes
1
answer
359
views
Set end_session_endpoint for logout endpoint
I use Spring Authorization Server 1.4.0 with React Client. By default I have end_session_endpoint param set to "end_session_endpoint":"http://host/connect/logout" in http://host/....
- 1,228
0
votes
2
answers
495
views
Issue with authenticationManager in Spring SecurityConfig Authorization Server
for some reason the authenticationManager is not being added to the context, that's what I imagine, because I'm getting an error:
"Factory method 'authorizationServerSecurityFilterChain' threw ...
- 51
2
votes
2
answers
840
views
Disable CSRF not working upon upgrading spring authorization server
My project setup has one security chain filter and the csrf is disabled.
With the following spring environment, code works as expected.
spring version 6.2.2
spring-security version 6.4.2
spring-...
- 103
0
votes
2
answers
153
views
Should I use HttpServletRequest.getParameter() or HttpServletRequest.setAttribute() for passing data between components?
I would like to customize Access token based on authorization code which is sent in the token endpoint reqeust.
I am doing this as per spring boot Oauth2 documentation.Token customisation
Specifically,...
0
votes
0
answers
57
views
Issue Custom tokens after social login with Spring authorisation server
I am trying to implement spring authorization server with social login.
I want a user to login using GitHub and after successful login, I want to issue a token to the user from my authorisation ...
- 262
0
votes
0
answers
132
views
Using spring-authorization-server in Spring MVC application that uses xml based config
I have a Spring MVC applicaton which used the legacy spring-security-oauth2 library as authorization server and resource server. The spring security was configured in xml format.Also, the ...
- 43
0
votes
1
answer
276
views
OidcUserInfoAuthenticationProvider doesn't support for opaque token bearer authorization
Continue for this problem, I still don't get any solution for handling my problem,
issue 1865. I want to have spring authorization server with opaque token and oidc enabled.
Once oidc enabled, it ...
- 1
1
vote
0
answers
80
views
Spring Authorization Server in High Availability mode
I would like to use Spring Authorization Server in High Availability mode, with for example 2 nodes behind a load balancer. I do not see anything in the documentation regarding a specific ...
- 1,955
1
vote
3
answers
461
views
response_mode=form_post triggers invalid CSRF token in Spring Auth Server
We have two filter chains (beans) configured in our SecurityConfig:
oauth2ProtocolEndpointsSecurityFilterChain with order 1 (authServer config)
userEndpointsSecurityFilterChain with order 2 (config ...
- 190
0
votes
1
answer
154
views
Test Spring Authorization Server with JUnit 5
I'm trying to create this JUnit test for Spring Authorization Server:
import org.junit.jupiter.api.Test;
import org.mockito.Mock;
import org.springframework.beans.factory.annotation.Autowired;
import ...
- 1,228
1
vote
0
answers
105
views
oauth2 authorization server without form login
I would like to have the authentication server handle user authentication without requiring login form input. In oauth2 authorization server version 0.3.1, it was processed through ...
- 11
1
vote
1
answer
458
views
Spring Authorization Server threw exception with message: DelegatingAuthenticationConverter
I am confused at what is causing this error, I first started noticing this when I migrated from version 1.2 to 1.4 of the spring oauth2 authorization server. Below you will find relevant files to help ...
- 551
0
votes
1
answer
74
views
Spring - Exposing public endpoints when using JWT authorization server with WebFlux
I want to create a BFF micro-service, which would be responsible for (among other things) forwarding username/password credentials to Keycloak (where Keycloak issues a JWT token) and for validating ...
- 37
0
votes
1
answer
271
views
Spring Security: combining authentication and token assignment via /oauth2/token endpoint
The goal is to have both authentication and token assignment under /oauth2/token endpoint. There is an expectation, that for example when application receives correct credentials:
POST http://...
- 689
1
vote
1
answer
119
views
When adding more fields to my custom login and wanting to capture the values it does not work
I have a custom login page that apart from the username and password I have the document type field and remember, how can I capture them in my personalized CustomDaoAuthenticationProvider to be able ...
0
votes
1
answer
102
views
Add Tenant Filter to Spring authorization Server
I want to add a TenantIdentificationFilter in the Spring Authorization Server.
I am trying to configure it as mentioned in this post.
This however is producing the error Cannot resolve symbol '...
- 262
1
vote
1
answer
222
views
Role Based Access Control With Auth0 and SpringBoot
I have a problem with assigning role-based access control on my SpringBoot application. I created a new API in Auth0 and assigned permissions to the API and enabled RBAC in the API. And authorized the ...
- 13
0
votes
1
answer
180
views
Spring authorization server latest version with PKCE + Angular SPA app 403 forbidden on oauth2/token
Security configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) ...
- 17.5k
0
votes
0
answers
94
views
Spring Authorization Server - Possibility for extended features
While integrating Spring Authorization Server in my system for the oauth2 basic workflow, i found myself in potential situations regarding the future extensions for this.
Is any of the following ...
- 81
0
votes
2
answers
90
views
Spring Authorization Server without redirecting URLs for CURL access
This is my setup. I have a kong community server running as a gateway and all sort of different clients to access resource services via routes in the backend.
To unify the authentification (that all ...
- 479
0
votes
0
answers
38
views
Spring Boot error in startup after upgrading to Java 21 from Java 8 [duplicate]
I aam upgrading my Spring Boot application from Java 8 to Java 21 and Spring boot 2.2 to 3.2. After upgrading I am getting this error on startup
|WARN | o.s.b.a.o.j.JpaBaseConfiguration$...
- 107
0
votes
1
answer
809
views
Migration from Spring Boot 2.2 to 3.2 and Java 8 to Java 21 - facing issues upgrading to Spring Authorization Server
I am currently in the process of migrating the application from Java 8 to Java 21 and Spring Boot 2.2 to Spring Boot 3.2.
I am currently facing trouble with security. My application has both an ...
- 107
0
votes
0
answers
149
views
How to create consent screen and consequently scopes in JWT dynamically after a user logs in to Spring Boot OAuth2 Authorization Server?
In the implementation of Custom OAuth2 Authorization Server using Spring Boot, how is it possible to create a custom consent screen that asks for different consents based on which user has logged in? ...
2
votes
2
answers
302
views
Implement Spring Authorization Server with 2 custom identity providers
I want to create a custom implementation of Spring Authorization Server with 2 custom federation providers:
First provider to authenticate clients with AuthorizationGrantType.AUTHORIZATION_CODE for ...
- 1,228
0
votes
0
answers
132
views
Session management in spring-oauth2-authorization-server
I am developing an application that consists of a gateway as a oauth2-client and an authorization server. I do not quite understand, based on what information, the session timeout for these services ...
- 23
-1
votes
1
answer
86
views
Oauth2 customize login page using angular and keep rest of the authorization flow
I have oauth2 client and oauth2 authorization server when I try to open a protected url of client. (it has a cookie a certain session). then it redirects to clients own path /oauth2/authorization/api-...
1
vote
1
answer
1k
views
How to customize the well-known endpoint in Spring Authorization Server?
I'm using Spring Authorization Server v3.3.1. My current well-known endpoint is <hostname>/.well-known/openid-configuration and this returns the standard OpenId configuration.
I want to remove a ...
0
votes
0
answers
84
views
Spring authorization server widget or password credentials flow?
I'm starting a new project with Spring Authorization Server 1.3.2 to use it in a new portal that it will be developed with Angular. Clients will be able to access to it's own private area using ...
- 35