Spring Security OAuth2 JWT令牌中继问题

Question

I am facing issue with Token Relay while communicating from one ResourceServer to another ResourceServer.

My AuthServer is based on Dave Sayer's sample and this is the application.yml for resource server1.

security:
 user:
    password: none
  oauth2:
    client:
      accessTokenUri: http://localhost:9999/uaa/oauth/token
      userAuthorizationUri: http://localhost:9999/uaa/oauth/authorize
      clientId: trusted
      clientSecret: secret

The config is very similar in resource server2, except that it is using a different clientId

Here is how i am creating the OAuth2RestTemplate in resource server1.

@LoadBalanced
@Bean
@Autowired
public OAuth2RestTemplate loadBalancedOauth2RestTemplate(OAuth2ClientContext oauth2ClientContext,
                                                         OAuth2ProtectedResourceDetails details) {
    return new OAuth2RestTemplate(details, oauth2ClientContext);
}

This call requires JWT OAuth2 Token Relay, but its not happening probably.

@GetMapping("/test-relay")
public String fetchMyProfile2() {
    final ResponseEntity<String> forEntity = oauthRestTemplate.getForEntity("http://my-oauth/users/me", String.class);
    final String body = forEntity.getBody();
    System.out.println("body = " + body);
    return body;
}

This is the exception i get while invoking this endpoint /test-relay from Postman RestClient. I am specifying JWT Token in Authorization Header while making the call.

org.springframework.security.oauth2.client.resource.UserRedirectRequiredException: A redirect is required to get the users approval
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getRedirectForAuthorization(AuthorizationCodeAccessTokenProvider.java:359)
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:205)
at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:148)
at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:121)
at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:221)
at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173)
at org.springframework.security.oauth2.client.OAuth2RestTemplate.createRequest(OAuth2RestTemplate.java:105)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:648)
at org.springframework.security.oauth2.client.OAuth2RestTemplate.doExecute(OAuth2RestTemplate.java:128)

I am using Spring Boot 1.5.2/3. My Resource Server is a UI Server as well, and this call works fine if i use Web Browser to hit the url.

UPDATE-1

This issue only happens for Resource Server that is a UI server too ie with @EnableOAuth2Sso annotation present on it. For a pure Resource Server that does not have @EnableOAuth2Sso , token relay works perfectly fine.

Answer 1

You might be affected by the bug I reported https://github.com/spring-cloud/spring-cloud-security/issues/123 . See if this workaround helps :

@Configuration
public class WorkaroundConfig extends WebMvcConfigurerAdapter {

    @Autowired
    @Qualifier("tokenRelayRequestInterceptor")
    HandlerInterceptor handlerInterceptor;

    @Override
    public void addInterceptors (InterceptorRegistry registry) {
        registry.addInterceptor(handlerInterceptor);
    }

}