从 postman 向 Spring OAuth2 应用发送请求

Question

I have created simplest spring oauth2 application. Here is all(:) my code

@SpringBootApplication
public class Oauth2Application {

    public static void main(String[] args) {
        SpringApplication.run(Oauth2Application.class, args);
    }
}

@RestController
@CrossOrigin("*")
public class Controller {

    @GetMapping
    public String hello() {
        return "Hello";
    }

}

spring:
  security:
    oauth2:
      client:
        registration:
          github:
            clientId: clientId
            clientSecret: clientSecret

And I want to send a request to my hello endpoint via Postman.

I have filled all required fields in the OAuth2 tab and generated my token. I can see my token in the Authorization header, but still, my request to localhost:8080 fails and returns me GitHub login page. What am I doing wrong?

I have also generated token by myself by sending direct requests to Github auth URL and access token URL and this token didn't work for my app but worked for Github API.

Also interesting, is that when I am sending a request from a browser, it prompts me to the login page, I am logging in to Github and it redirects me to initial the page, I can't see any Authorization headers in all those requests. Only JSESSIONID cookie.

Please, guys, I would appreciate any ideas on how to make it work. Thanks

Answer 1

I'll post a response as I don't have enough reputation to add a comment but it's more a hint than a response...

First regarding the fact that you are not able to find the Authorization header when you look at the exchanges between the browser and your backend.
I don't have it either but if you take a look at the cookies of your request you will find a KEYCLOCK_IDENTITY cookie.
I use Keycloak as my identity provider but yours should look like GOOGLE_IDENTITY I guess ?
It should hold the informations needed to ensure that you are who you are (at least it's my understanding of the presence of this cookie).

Second thing: it looks like you want to use your SpringBoot application as a resource server, you should probably take a look at this page and use the spring-boot-starter-oauth2-resource-server dependency instead of the spring-boot-starter-oauth2-client dependency in order to make it work with an HTTP client like Postman.

I hope it helps.

Answer 2

@Gilles is right, you are writing a OAuth2 resource-server , not a client .

You can hardly use Github as authorization-server for your resource-server: it issues "opaque" tokens (not JWTs) which you can't use easily with spring-boot-starter-oauth2-resource-server or alike.

An option for you is using an OIDC authorization-server of your own (like Keycloak) capable of "user identity federation": it will proxy Github (and any other common identity provider you like like Google, Facebook, etc.).

Once you have an authorization-server issuing JWT access-tokens, you can have a look at those tutorials to configure your resource-server:

• resource-server_with_jwtauthenticationtoken
• resource-server_with_oauthentication (requires more Java config)