Garmaine Staff asked 1 year ago

I'm trying to develop resource server that provides APIs that will be consumed by various applications. I'm using java spring boot oauth2.0 framework. The applications are web applications that are typical OpenID Connect compliant web applications that will go through the /oauth/authorize endpoint using the authorization code flow. When the authorization is granted, the authorization server returns an access token to the application. The application then uses the access token to access a protected resource (like an API).

My focus is on the Resource Server itself.The Authorization Server is external elsewhere in the cloud.

From APIs standpoint these are REST APIs that are exposed using @RestController annotation like below –

@RestController
@RequestMapping("/myapi")

Below are the properties I'm having in the application.properties in my resource server code –

spring.security.oauth2.resourceserver.jwt.jws-algorithm=RS256
spring.security.oauth2.resourceserver.jwt.issuer-uri=
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=

The main class is as follows –

SpringBootApplication
@EnableResourceServer
public class myApplication {
    public static void main(String[] args) {
        SpringApplication.run(myApplication .class, args);
    }
}

and the class that extends ResourceServerConfigurerAdapter

@Configuration
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter 
{

    private static final String RESOURCE_ID = "resource-server-rest-api";
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/myapi/**").authenticated();
    }
}

Whenever I'm calling the API using POSTMAN while passing AccessToken in the Authorization header, I'm getting invalid_token error. Below is the snippet of the log –

DEBUG 25536 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error="invalid_token"

I have verified jwt token, it has correct claims and scopes.

Now question is

  1. Is something missing in the resource server from code standpoint?
  2. Are the application properties correct or anything more need to be added?

Does Resource Server need to interact with Authorization server at run-time? If yes, where is that specified?