iainporter / oauth2-provider Goto Github PK
View Code? Open in Web Editor NEWImplementation of an oauth2 provider
License: Apache License 2.0
Implementation of an oauth2 provider
License: Apache License 2.0
In these files :
oauth2-provider / src / main / resources / META-INF / velocity / *.vm
These lines need to be changed from:
<a href="${model.getHostNameUrl()}/******
To:
<a href="${model.getHostNameUrl()}/oauth2-provider/******
This is a minor issue related to the example login page (index.html).
When entering invalid credentials, a popup appears: Authentification Required: The server http://localhost:8080 requires a username and password. The server says: oauth.
This popup should not appear.
In VerificationTokenServiceImpl, don't think this is required since it's in the constructor. Unless I'm missing something....
@Autowired
public void setUserRepository(UserRepository userRepository) {
this.userRepository = userRepository;
}
Unable to login on http://localhost:8080/oauth2-provider/index.html
POST http://localhost:8080/oauth2-provider/oauth/token 500 (Server Error)
Would be great to implement server-side support for authentication through Facebook, Twitter, LinkedIn, etc.
line 28 of SpringCrossOriginResourceSharingFilter
is :
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, OPTIONS");
should be :
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
I would be nice to use some of the more recent version of jersey. Currently you are using version 1.9.1 while the latest version is 2.11 - it's is causing conflicts with other components that we want to integrate with your framework but that uses jersey 2.11 - just a thought
Result: Form is accepted and redirection to Dashboard, console message:
GET http://localhost:8080/oauth2-provider/v1.0/me 401 (Unauthorized) jquery-1.8.2.min.js:2
Expected: a message saying that the two passwords don't match
Result: Form is accepted and redirection to Dashboard, console message:
GET http://localhost:8080/oauth2-provider/v1.0/me 401 (Unauthorized) jquery-1.8.2.min.js:2
Result: Message "Email and/or password did not match a user account."
POST http://localhost:8080/oauth2-provider/oauth/token 400 (Bad Request) jquery-1.8.2.min.js:2
UPDATE: I numbered the points from 1. to 3. but they all appear as 1.
Hi, this is not an issue, this is just a question, can you help me, thanks in advance.
You added CORS filter to /oauth/token, that works, but do you know how to add CORS filter to resources (/v1.0/**). I always got this:
Remote Address:[::1]:8080
Request URL:http://localhost:8080/v1.0/xxx
Request Method:OPTIONS
Status Code:401 Unauthorized
After having submitted a password reset request, I received an email containing the following url:
http://localhost:8080/reset_password.html?ZGNkNTE0OTAtNTg0OC00MDUyLWJhZGQtMmRlOTQzYTUyNWQ3
When I enter this url in a browser, the page is blank at the following error is shown in the JavaScript console:
Failed to load resource: the server responded with a status of 404 (Not Found)
The MongoDB database is correctly configured as I can add a user, login and logout.
Using curl to get user information returns an error code 401.
curl -v -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Basic MzUzYjMwMmM0NDU3NGY1NjUwNDU2ODdlNTM0ZTdkNmE6Mjg2OTI0Njk3ZTYxNWE2NzJhNjQ2YTQ5MzU0NTY0NmM=" \
'http://localhost:8080/oauth2-provider/oauth/token?grant_type=password&username=xxx&password=password'
returns OK
curl -v -X GET \
-H "Content-Type: application/json" \
-H "Authorization: Bearer 9ea7d2dc-eb01-40b2-a29f-bb33ef11c6c9" \
'http://localhost:8080/oauth2-provider/v1.0/me'
returns
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /oauth2-provider/v1.0/me HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer 9ea7d2dc-eb01-40b2-a29f-bb33ef11c6c9
>
< HTTP/1.1 401 Unauthorized
< Date: Wed, 12 Nov 2014 15:20:23 GMT
< Content-Type: application/json
< Content-Length: 168
* Server Jetty(9.2.3.v20140905) is not blacklisted
< Server: Jetty(9.2.3.v20140905)
<
* Connection #0 to host localhost left intact
{"errorCode":"401","consumerMessage":"You do not have the appropriate privileges to access this resource","applicationMessage":"Access is denied","validationErrors":[]}
@RolesAllowed({"ROLE_USER"})
@Path("/{id}")
@GET
public ApiUser getUser(final @PathParam("id") String userId, final @Context SecurityContext securityContext) {
User requestingUser = loadUserFromSecurityContext(securityContext);
for (Role role : requestingUser.getRoles()) {
LOG.info(role.toString());
}
ApiUser targetUser = userService.getUser(userId);
if (targetUser == null) {
throw new UserNotFoundException();
}
if (requestingUser.getRoles().contains(Role.ROLE_ADMIN) || requestingUser.getId().equals(userId)) {
return targetUser;
}
throw new AuthorizationException("User not permitted to access this resource");
}
I manually changed the role of UserA in MongoDB from ROLE_USER to ROLE_ADMIN. But when I execute the above method, requestingUser = UserA prints that it has only the role ROLE_USER.
If I replace @RolesAllowed({"ROLE_USER"}) by @RolesAllowed({"ROLE_USER", "ROLE_ADMIN"}) (which contradicts the purpose of the hierarchical roles you presented), an error 401 ("Access is denied") is systematically returned and the content of the method getUser() is never evaluated.
UPDATE: I also get an error 401 when I use @RolesAllowed({"ROLE_ADMIN"}) and I'm logged in with an account which has the role ROLE_ADMIN.
Issue #5 Authentification Required - should be reopened (or revisited)
The behaviour and response is different in these 2 scenarios :
login with INVALID username and INVALID password
login with CORRECT username and INVALID password
The fix only works for scenario 1), but why is a HTML response considered RESTful ?
If you add this to User.java for example :
@CompoundIndexes(value=@CompoundIndex(name="email_idx", def="{'emailAddress':1}", unique=true))
public class User extends BaseEntity implements UserDetails {
This breaks the MongoDbConfigurationTest tests with this error , it looks like Mongo is not running ?
Caused by: com.mongodb.MongoServerSelectionException: Unable to connect to any server that matches AnyServerSelector{}
at com.mongodb.BaseCluster.getServer(BaseCluster.java:80)
at com.mongodb.DBTCPConnector.getServer(DBTCPConnector.java:666)
at com.mongodb.DBTCPConnector.access$300(DBTCPConnector.java:42)
at com.mongodb.DBTCPConnector$MyPort.getConnection(DBTCPConnector.java:511)
at com.mongodb.DBTCPConnector$MyPort.get(DBTCPConnector.java:459)
at com.mongodb.DBTCPConnector.getPrimaryPort(DBTCPConnector.java:417)
at com.mongodb.DBCollectionImpl.createIndex(DBCollectionImpl.java:337)
at com.mongodb.DBCollection.createIndex(DBCollection.java:564)
at org.springframework.data.mongodb.core.index.MongoPersistentEntityIndexCreator.createIndex(MongoPersistentEntityIndexCreator.java:135)
....
.....
The following error is thrown when user tries to login with valid credentials:
[http-nio-8080-exec-3] INFO org.springframework.security.oauth2.provider.endpoint.TokenEndpoint - Handling error: IllegalArgumentException, The given entity must not be null!
I suspect it has something to do with access tokens because if I delete the entries in oAuth2AuthenticationAccessToken, it seems to work again.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.