无法从身份验证服务器获取Oauth2令牌

Question

I have an auth-server configured in spring with

clients
        .inMemory()
        .withClient("my-web-app")
        .secret("my-web-app-secret")
        .authorizedGrantTypes(//
            "authorization_code",//
            "refresh_token",//
            "password"//
        ).scopes("openid")

Now I want to develop a command line application for the webapp. Hence I need to register one more client with a seperate client id and secret. I have done something like this

.and()
        .inMemory()
        .withClient("my-cli")
        .secret("my-cli-secret")
        .authorizedGrantTypes("authorization_code","client_credentials")
        .scopes("read","write","trust").authorities("ROLE_USER");

What I want to achieve is use simply provide the username/password and the client app should be able to get the auth token from the auth server.

What I have tried and understood is I should be using Resource Owner password Grant. I have to use the spring Oauth2restTemplate after this. The problem in this configuration is when I m hitting the tokenuri im getting

{
error: "unauthorized"
error_description: "Full authentication is required to access this resource"
}

and everytime it is hitting with the anonymous user.

Answer 1

If you want to user username/password for obtaining the access token you definitely need to use grant_type=password .

You also don't need to specify .inMemory() twice - just two clients with .and() between them.

So the configuration then have to be something like

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients
            .inMemory()
                    // First client 
            .withClient("my-web-app")
            .secret("my-web-app-secret")
            .authorizedGrantTypes(//
                    "authorization_code",//
                    "refresh_token",//
                    "password"//
            ).scopes("openid")
            // Second Client(CLI)
            .and()
            .withClient("my-cli")
            .secret("my-cli-secret")
            .authorizedGrantTypes("password")
            .scopes("read", "write", "trust")
            .authorities("ROLE_USER");
}

And other very important thing - you need to set the Authorization: header in the http request for the token. So the header should be

"Authorization: Basic " + Base64.encodeBase64String((clientId + ":" + clientSecret).getBytes())

This header is checked before the username\\password and defines that the client(CLI in your case) is an authorized client (this can cause the error from your question).

That would be really good if you can add the code how exactly you use Oauth2RestTemplate