Spring Security Fundamentals - Lesson 11 - The OAuth2 Authorization Server

Hi Laur, thank you so much for everything you do. Your videos and books mean the world to us. Thank you

talgatalimbayev

Hi Laur. Since I'm just starting to get my feet wet with oauth2 I find it a little hard to connect all the pieces that make oauth2. In this episode you are going as if I have all those pieces connected already in my mind but I don't think anyone would with just 1 theoretical episode on that. That leading to me having a hard time following your thoughts. Maybe you could do a just quick alt tab and say "rn I'm coding this part so we can do x thing" using the diagram from the 9th lesson. I think that would make it a lot more clear.

Just a little feedback for the future. Thanks again for the great series.

BravePro

Hi! thank you for everything you do, but lesson 9-10 to lesson 11, is just like a jump I cannot understand it 🙃

KristainPutra

Till the last video, I was able to follow everything you taught. But in this video, I could not. Particularly I m not sure how you generated the verifier and the challenger. I made sure I watched the video twice. I also could not follow how you formed few URLs. I ll list them in another comment.

thepinkskyrider

Hi Laurentiu! I have watched all the videos in this playlist ( security 2022 ) all the way to episode 11. Everything was smooth and understood everything you did. Episode 9 was a theoretical lesson and watched it completely. In this episode ( 11 ), you started coding and i feel i am missing something, you are creating all those beans as you have explained them some time earlier but i dont recall you explaining them, i refer to all of RegisteredClientRepository, AuthorizationServerSettings, another securityFIlterChain for the authorization server...

Also, when using the springone url for the first time, you said you have taught how to create a challenge but i cant seem to find where that is:))

I code as usual along the video, but this time was not able to complete it. Am i missing something?

Thanks!

naebara

points to consider when you are generating the access token [1] request method is POST [2] don't miss to add the client's credential under the Authorization (Basic Auth) section

AbhishekKumarSrivastava-jpbh

Hi Laur, Great video as always, when you are going to have in depth session of customization, :) looking forward to that...

amintalukder

Thanks your videos are the best of the best

rafaelespinosadominguez

For those who has error 999 or invalid_grant: make sure your redirect_uri is the same in the code, authorize url, and token url!

desdichago

I struggled generating access_token. As it seems after changes token endpoint should not receive query parameters and you should send parameters via body with `x-www-form-urlencoded` form. Also client credentials should be filled in authorization and dont forget to encode client secret with PasswordEncoder (Laur used NoOpPasswordEncoder, so it wasn't needed in video).

rgstudio

Have I missed a lesson or at 10:51 the formLogin() method was not explained before? I watched all the previous lessons and took very detailed notes but I can't find it

videolezioni

@Laur Spilca Hey Mr Laur.. i've been really struggling for a few days now. i followed everything you did and even just pasted your code in my intellij to see if it would work and it doesn't. I followed everything right but i am stuck at the post request where we send the verifier, authorization code, redirect uri, client id and grant type to get the tokens. I have even tried putting these in the post request's body instead of the params but it still doesn't work. i always seem to get a "error" : "invalid_request" response. i would really appreciate help. i am stuck

okayest_pianist

Hi Mr laur, thank you very much for your effort,
I am using spring authorization server with authorization code grant type, when I am sending request to /authorize with client I'd & redirect uri and scope I got redirected to login page after login I got redirected to client redirect pri and got code and it's ok
But when trying to repeat the flow I got the authorization code directly without being redirected to login page, why this behaviour and how to fix

easymaths

Hi Laur. Thank you for the video. But while i was practicing I follow the step you mention but i got the error: {
"error": "invalid_client"
} Can you help me out?

sagarshah

Hello, thank you for lesson, repeated all the code, but when try to get access token through the browser (when have not existing page), after logining spring redirect me to /error? (There was an unexpected error (type=None, status=999). )page inside, not for the 404 page of redirecturi. What do you think what should i try? With the existing uri everything is OK

nikolayveselov

Hi @Laur Spilca, May I know when is your next session of this continuation ? Thanks really.

amintalukder

Hello Laurentiu. Thanks for the video. I was trying to make a POST request to /oauth2/token and I'm getting "error": "invalid_client". Is there something else I need to do besides what is visible on your postman? Are you putting in some other information on the Authorization and Body tabs? Thanks

juni

Do you plan to use any demo that’s more realistic ie. Keycloak as the authorization server? Aren’t most typical use cases going to be using a resource server with a third party authorization server.

rydmerlin

hey laur how do you get the code challange ? when you were testing the url you had code challnage ?

santoshtimilsina

Hi Laurentiu, what are the advantages of using code generated key pairs instead of having static keys stored in pem files that are being used through application.properties? I looks like it's more secure using code generated, but this mean that, everytime that the backend is restarted, new key pair is going to be generated and all jwts previously created are going to be useless right? And is this supposed to work if we scale up our backend to multiple instances? This mean that each instance will have their own key pair, and a specific jwt is only going to be successfully validated for that same instance and fail for the other ones, right?

nunoaparicio