How to use AuthorizationServerSecurityConfigurer?

KZcoding picture KZcoding · Aug 19, 2017 · Viewed 11.3k times · Source

I am looking at a Spring boot project which has this code:

public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer
        .tokenKeyAccess("permitAll()")
        .checkTokenAccess("isAuthenticated()");
}

Unfortunately, I am not able to find any resources anywhere (i.e. Google, Spring docs, Spring oauth docs) that explains to me how to actually use AuthorizationServerSecurityConfigurer. Moreover, I do not understand exactly what tokenKeyAccess("permitAll()") or checkTokenAccess("isAuthenticated()") do.

Other than helping me understand what those two functions do, please help me learn where to look for these types of information in the future.

Answer

derkoe picture derkoe · Aug 19, 2017

Spring Security OAuth exposes two endpoints for checking tokens (/oauth/check_token and /oauth/token_key). Those endpoints are not exposed by default (have access "denyAll()").

So if you want to verify the tokens with this endpoint you'll have to add this to your authorization servers' config:

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
               .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
}

Some more details can be found in the "Resource Server Configuration" section of the Spring Security OAuth2 documentation.