Hi Jason, On 14/07/14 06:06, Jason Chaffee wrote:
I am trying to use the AccessTokenVaidatorService, but I keep running into a problem of the UserPrincipal being null.@Path("validate") public class AccessTokenValidatorService extends AbstractAccessTokenValidator { @POST @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Consumes(MediaType.APPLICATION_FORM_URLENCODED) public AccessTokenValidation getTokenValidationInfo( @FormParam(OAuthConstants.AUTHORIZATION_SCHEME_TYPE) String authScheme, @Encoded @FormParam(OAuthConstants.AUTHORIZATION_SCHEME_DATA) String authSchemeData) { if (getMessageContext().getSecurityContext().getUserPrincipal() == null) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); } return super.getAccessTokenValidation(authScheme, authSchemeData); } } However, my token is a client_credentials grant type and there is no user.
Here we are talking about a resource server protected by OAuth2 filter, this filter interacting with a remote AccessTokenValidatorService.
The filter and the service validate the client access token (irrespectively of the grant the token originated from).
AccessTokenValidatorService accepts the token details as Form parameters. What is checks further that it has been invoked by the resource server which knows how to authenticate against AccessTokenValidatorService.
This user principal the service checks has no relationship to a client accessing a resource server currently invoking on the validator service. It is expected to represent an authenticated caller scoped by OAuthRequestFilter
Also, I am wonder why the OAuth server would have a UserPrincipal to begin with. The end user does not even know this service exists as the protected services are calling it with the Auth token they are called with. So, I don’t understand why a UserPrincipal should ever be present? If I am missing something, how does the UserPrincipal get created and added to the SecurityContext then?
In this case just make sure AccessTokenValidatorClient has a WebClient injected with a username/password set and the endpoint hosting AccessTokenValidatorService is protected. You can easily replace AccessTokenValidatorClient with a custom AccessTokenValidator implementation if more complex authentication requirements will have to be met.
basically, treat AccessTokenValidatorService as a regular JAX-RS endpoint that needs to be protected :-)
HTH, Sergey
Any help on this would be greatly appreciated as no matter what I have tried I can’t get this service to work.
