Spring security Oauth client - Request like a postman example

Question

I am trying to do a JUnit Tests that executes an OAuth flow.

My customer built a OAuth provider, when I make a test using postman, the postman show me a screen to fill down the credentials, after that, the postman store the information (access_token, id_token, all JWT informations), it is ok.

See the example:

My code to test is:

@Test
    public void getAccessTokenViaSpringSecurityOAuthClient() {
        try {

            OAuth2ProtectedResourceDetails resourceDetails = googleOAuth2Details();

            OAuth2RestTemplate oAuthRestTemplate = new OAuth2RestTemplate(resourceDetails);

            org.springframework.http.HttpHeaders headers = new org.springframework.http.HttpHeaders();
            headers.setContentType(MediaType.APPLICATION_JSON);

            OAuth2AccessToken token = oAuthRestTemplate.getAccessToken();
            System.out.println(oAuthRestTemplate.getResource());
            System.out.println(oAuthRestTemplate.getOAuth2ClientContext());
            System.out.println(token);

            Assert.assertTrue(token != null);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public OAuth2ProtectedResourceDetails googleOAuth2Details() {
        AuthorizationCodeResourceDetails googleOAuth2Details = new AuthorizationCodeResourceDetails();
        googleOAuth2Details.setClientId("xxxxx");
        googleOAuth2Details.setUserAuthorizationUri("https://xxx/yyy/oauth2/authorize");
        googleOAuth2Details.setAccessTokenUri("https://xxx/yyy/oauth2/token");
        googleOAuth2Details.setScope(Arrays.asList("openid"));
        googleOAuth2Details.setPreEstablishedRedirectUri("https://www.getpostman.com/oauth2/callback");
        googleOAuth2Details.setAuthenticationScheme(AuthenticationScheme.query);
        googleOAuth2Details.setClientAuthenticationScheme(AuthenticationScheme.form);

        return googleOAuth2Details;
    }

When I run the task, this exception happens:

org.springframework.security.oauth2.client.resource.UserRedirectRequiredException: A redirect is required to get the users approval

Is it possible to test this flow? How can I do it?

Answer 1

The exception explains the problem : A redirect is required to get the users approval .

Postman is hiding the fact that once the authorization process is over, the authorization server redirects your browser to a redirect_uri , or Callback URL as Postman names it. This URL collects the authorization code delivered by the authorization server, and requests a token.
See the authorization code flow for more details :

• OAuth 2.0 RFC 6749
• a simplfied diagram

This means that you cannot "unit test" the authorization code grant of an authorization server. You need some kind of web server to process the callback of the authorization code flow.

You could probably test your authorization a lot faster by creating a @SpringBootTest with a Spring Boot application using @EnableOAuth2Sso . Spring Boot will auto-configure an OAuth2RestTemplate for you, and you can have it @Autowired in your JUnit test.