oauth2-vanilla got "invalid_token" error

[bjdaijun]

here is my step:

curl acme:acmesecret@localhost:9999/uaa/oauth/token -d "grant_type=password&scope=openid&username=user&password=password"
{"access_token":"470d15dd-0235-4f19-acd2-81e781793d9a","token_type":"bearer","refresh_token":"4a4fb790-10c0-4d24-9217-d1e35b3b95a6","expires_in":9,"scope":"openid"}

TOKEN=470d15dd-0235-4f19-acd2-81e781793d9a
curl -H "Authorization: bearer $TOKEN" localhost:9000
{"error":"invalid_token","error_description":"470d15dd-0235-4f19-acd2-81e781793d9a"}

curl -H "Authorization: bearer $TOKEN" localhost:8080/resource

NO RESULT

[dsyer]

Your token has a very short expiry. Maybe it just expired? Are you running the code from this project (the token expiry is not so short by default)?

[bjdaijun]

I just clone it from github, and did not change anything. And the git commit id of my gitlog is 04cb955
And how could i change the default expiry?

[dsyer]

There's a line in the application.properties (https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/oauth2-vanilla/authserver/src/main/resources/application.properties#L9):

security.oauth2.client.accessTokenValiditySeconds: 10

(so the default is quite low in this app - probably someone was testing token expiry).

[bjdaijun]

Thanks, and now curl -H "Authorization: bearer $TOKEN" localhost:9000 returned the right result.
But when I try curl -H "Authorization: bearer $TOKEN" localhost:8080/resource
and curl -H "Authorization: bearer $TOKEN" localhost:8080/user ,
Nothing returned.

And in the ui app console, I got Access denied error:

 2017-07-03 14:07:01.233 DEBUG 17621 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/resource'; against '/'
2017-07-03 14:07:01.233 DEBUG 17621 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /resource; Attributes: [authenticated]
2017-07-03 14:07:01.233 DEBUG 17621 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2017-07-03 14:07:01.233 DEBUG 17621 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@265748b6, returned: -1
2017-07-03 14:07:01.234 DEBUG 17621 --- [nio-8080-exec-2] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Mon Jul 03 14:07:01 CST 2017, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2017-07-03 14:07:01.236 DEBUG 17621 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
        at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]

[dsyer]

Right, but the UI (on port 8080) is not an OAuth2 resource server, so that's expected.

[bjdaijun]

In this oauth2-vanilla example, the UI application has these two annotations:
@EnableZuulProxy
@EnableOAuth2Sso
,and with zuul config in yml

zuul:
  routes:
    resource:
      path: /resource/**
      url: http://localhost:9000
    user:
      path: /user/**
      url: http://localhost:9999/uaa/user

Dos't it mean that we should access resource from the gateway at 8080?
And if we do access from UI to proxy to Resource at 9000, How does the EnableOauth2Sso should work?

[dsyer]

Does it mean that we should access resource from the gateway at 8080?

Yes, that's the whole point of a gateway.

[bjdaijun]

So That's the problems i encountered, as last comment posted:

When I try  curl -H "Authorization: bearer $TOKEN" localhost:9000 returned the right result.
But when I try curl -H "Authorization: bearer $TOKEN" localhost:8080/resource
and curl -H "Authorization: bearer $TOKEN" localhost:8080/user ,
**Nothing returned. But the log tell me access denied.**

I do use the 8080 to access 9000, but can't pass oauth2.

[dsyer]

It's expected. The gateway is not an OAuth2 resource, as I already pointed out. You have to authenticate with it through the browser (I mean, you could do it with curl, but you are making life difficult for yourself).

[bjdaijun]

That is what i want to implemented:
An APP client, not browser, first get a valid token from the auth server, and then use this token to do subsequent request through a zuul gateway. Does this sample can satisfy these requirement? Or should I refer to other samples？

[dsyer]

The gateway in this sample is not an OAuth2 resource (as I keep saying). The "resource" server is (if you need a sample).