Details

    • Type: Defect Defect
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 1.0.0.RC1
    • Fix Version/s: 1.0.1
    • Component/s: OAuth 2
    • Labels:

      Description

      After doing the OAuth dance in tonr/sparklr with "marissa", a GET request to the admin endpoints passing the correct access token fails.

      >
      GET http://localhost:8080/sparklr2/oauth/users/marissa/tokens
      Authorization: Bearer (token)

      <
      403 Forbidden

      {"error":"access_denied","error_description":"Access is denied"}

      However, a POST request works.

      <
      200 OK
      [

      {"access_token":"(access-token)","token_type":"bearer","refresh_token":"(refresh-token)","expires_in":26603,"scope":"read","client_id":"client1"}

      ]

      This appears to conflict with sparklr2's configuration:

      <intercept-url pattern="/oauth/users/.*"
      access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')"
      method="GET" />

        Activity

        Hide
        Dave Syer added a comment -

        I think the GET response is probably correct, right (your client is not permitted to view tokens)? All POSTs should be disallowed (it's a 1-liner in the config file).

        Show
        Dave Syer added a comment - I think the GET response is probably correct, right (your client is not permitted to view tokens)? All POSTs should be disallowed (it's a 1-liner in the config file).
        Hide
        Andrey Dikun added a comment -

        Faced with the same issue on JDBC based Token Store Project.
        Actually this line #oauth2.clientHasRole('ROLE_CLIENT') return false during GET/DELETE etc requests and true during POST requests. Haven't resolved it yet, but tonr and sparklr seems to be working for me in all cases.

        Show
        Andrey Dikun added a comment - Faced with the same issue on JDBC based Token Store Project. Actually this line #oauth2.clientHasRole('ROLE_CLIENT') return false during GET/DELETE etc requests and true during POST requests. Haven't resolved it yet, but tonr and sparklr seems to be working for me in all cases.
        Hide
        Ali Moghadam added a comment -

        I have just done a testing with curl and both POST and GET work fine. They return token json just fine. Here are the curl commands I used for GET and POST respectfully:

        curl -X GET -H "Authorization: Bearer 91f54fe4-7bd1-41ba-919d-255aa68da8e4" http://localhost:8080/sparklr2/oauth/users/marissa/tokens

        curl -X POST -H "Authorization: Bearer 91f54fe4-7bd1-41ba-919d-255aa68da8e4" http://localhost:8080/sparklr2/oauth/users/marissa/tokens

        I have went as far as actually changing the RequestMapping of the listTokensForUser method inside AdminController.java to RequestMethod.POST and my GET curl command failed giving me a "HTTP Status 405 - Request method 'GET' not supported"

        Show
        Ali Moghadam added a comment - I have just done a testing with curl and both POST and GET work fine. They return token json just fine. Here are the curl commands I used for GET and POST respectfully: curl -X GET -H "Authorization: Bearer 91f54fe4-7bd1-41ba-919d-255aa68da8e4" http://localhost:8080/sparklr2/oauth/users/marissa/tokens curl -X POST -H "Authorization: Bearer 91f54fe4-7bd1-41ba-919d-255aa68da8e4" http://localhost:8080/sparklr2/oauth/users/marissa/tokens I have went as far as actually changing the RequestMapping of the listTokensForUser method inside AdminController.java to RequestMethod.POST and my GET curl command failed giving me a "HTTP Status 405 - Request method 'GET' not supported"
        Hide
        Ali Moghadam added a comment -

        Please take a look at the following pull request:

        https://github.com/SpringSource/spring-security-oauth/pull/63

        Show
        Ali Moghadam added a comment - Please take a look at the following pull request: https://github.com/SpringSource/spring-security-oauth/pull/63
        Hide
        Dave Syer added a comment -

        Fixed (added denyAll()).

        Show
        Dave Syer added a comment - Fixed (added denyAll()).

          People

          • Assignee:
            Dave Syer
            Reporter:
            John Rodriguez
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: