ClientSecret about spring-security-mongo HOT 6 CLOSED

I am trying to reproduce the issue but I am not able to do it. I am using the library in other project
and it is working as expected. I have an integration test for it.

https://github.com/caelwinner/copyshare/blob/master/oauth-server/src/test/java/uk/co/caeldev/oauthserver/AuthorizationServerIntegrationTest.java

Take a look to this test for example:
method: shouldGetUserDetailsFromValidAccessToken

Could you please tell me how are you getting this error?
Could you please send me a request sample?

Thank you.

from spring-security-mongo.

Please have a look to this post:

https://raymondhlee.wordpress.com/tag/full-authentication-is-required-to-access-this-resource/

Basically Instead of sending explicitly in the header client Id and secret it is encoded using base64, as Authorization header.

from spring-security-mongo.

Yes I know about the base64 encoding.

So here are some screenshots

1. Add client credentials. See the clientSecret
   

2. It's added to the mongodb collection. The clientSecret is now encoded
   

3. Make a POST request on /oauth/token with the encoded clientSecret in the heeader
   

3.1) HTTP 200 OK
![screen shot 2015-06-04 at 07 01 49
(https://cloud.githubusercontent.com/assets/50061/7977212/1e40812e-0a88-11e5-89b1-83861dd1726d.png)

4. Would you do the request with the clientSecret like in the first screenshot
   

4.1) You end up with a 401 NOT AUTHORIZED

As you said and also tested it should work. Maybe this helps you.

from spring-security-mongo.

Hello

So here is the thing why my integration test is working, In my test I am
persisting the client details using directly the Repository which is not
encrypting anything but the Client Service does.
I will debug it and see how to fix it.
Thank you for your previous post. was really useful! :)

Adolfo

On 4 June 2015 at 06:08, gabac [email protected] wrote:

Yes I know about the base64 encoding.

So here are some screenshots

1. Add client credentials. See the clientSecret
   [image: screen shot 2015-06-04 at 07 00 43]
   https://cloud.githubusercontent.com/assets/50061/7977188/dd39d536-0a87-11e5-91b3-c8c0e53ff3c2.png

2. It's added to the mongodb collection. The clientSecret is now encoded
   [image: screen shot 2015-06-04 at 07 01 02]
   https://cloud.githubusercontent.com/assets/50061/7977199/f66f8172-0a87-11e5-9cd3-9c2b1c8d195b.png

3. Make a POST request on /oauth/token with the encoded clientSecret in
   the heeader
   [image: screen shot 2015-06-04 at 07 01 13]
   https://cloud.githubusercontent.com/assets/50061/7977206/100a13d6-0a88-11e5-8f39-a5a8dc32eac1.png

3.1) HTTP 200 OK
![screen shot 2015-06-04 at 07 01 49
(
https://cloud.githubusercontent.com/assets/50061/7977212/1e40812e-0a88-11e5-89b1-83861dd1726d.png
)

4. Would you do the request with the clientSecret like in the first
   screenshot
   [image: screen shot 2015-06-04 at 07 02 05]
   https://cloud.githubusercontent.com/assets/50061/7977219/3aa92672-0a88-11e5-93e3-aa091ce05f18.png

4.1) You end up with a 401 NOT AUTHORIZED
[image: screen shot 2015-06-04 at 07 02 24]
https://cloud.githubusercontent.com/assets/50061/7977222/44daf224-0a88-11e5-9a06-e043d3ec0eab.png

As you said and also tested it should work. Maybe this helps you.

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

from spring-security-mongo.

I pushed the fix. I did not release a new version but you can use the snapshot version
0.1.10-SNAPSHOT. If you have a moment could you please test it? So I can close the issue.

from spring-security-mongo.

Works fine with 0.1.10-SNAPSHOT

Thanks a lot for you bugfixes :)

from spring-security-mongo.