[FIXED] Sending request from postman to Spring OAuth2 app

Issue

I have created simplest spring oauth2 application. Here is all(!) my code:

@SpringBootApplication
public class Oauth2Application {

    public static void main(String[] args) {
        SpringApplication.run(Oauth2Application.class, args);
    }
}

@RestController
@CrossOrigin("*")
public class Controller {

    @GetMapping
    public String hello() {
        return "Hello";
    }

}

spring:
  security:
    oauth2:
      client:
        registration:
          github:
            clientId: clientId
            clientSecret: clientSecret

And I want to send a request to my hello endpoint via Postman.

I have filled all required fields in the OAuth2 tab and generated my token. I can see my token in the Authorization header, but still, my request to localhost:8080 fails and returns me GitHub login page. What am I doing wrong?

I have also generated token by myself by sending direct requests to Github auth URL and access token URL and this token didn't work for my app but worked for Github API.

Also interesting, is that when I am sending a request from a browser, it prompts me to the login page, I am logging in to Github and it redirects me to initial the page, I can't see any Authorization headers in all those requests. Only JSESSIONID cookie.

Please, guys, I would appreciate any ideas on how to make it work. Thanks!

Solution

@Gilles is right, you are writing a OAuth2 resource-server, not a client.

You can hardly use Github as authorization-server for your resource-server: it issues "opaque" tokens (not JWTs) which you can't use easily with spring-boot-starter-oauth2-resource-server or alike (I don't know any introspection endpoint for Github tokens).

An option for you is using an OIDC authorization-server of your own (like Keycloak) capable of "user identity federation": it will proxy Github (and any other common identity provider you like: Google, Facebook, etc.).

Once you have an authorization-server issuing JWT access-tokens, you can have a look at those tutorials to configure your resource-server:

• resource-server_with_jwtauthenticationtoken
• resource-server_with_oauthentication (requires more Java config)

Answered By - ch4mp
Answer Checked By - Cary Denson (JavaFixing Admin)