Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • 12:03
    smitchell commented #1676
  • 12:03
    smitchell commented #1676
  • Aug 20 20:28
    smitchell commented #1676
  • Aug 20 17:08
    naavo commented #1740
  • Aug 20 16:44
    naavo commented #1740
  • Aug 20 16:25
    smitchell commented #1676
  • Aug 20 15:48
    jgrandja commented #1676
  • Aug 20 15:45
    jgrandja commented #1676
  • Aug 20 14:30
    an0nh4x0r commented #1328
  • Aug 20 11:20
    sanskritiagarwal commented #1088
  • Aug 19 23:08
    naavo opened #1740
  • Aug 16 13:19
    erlendfg commented #1681
  • Aug 15 11:49
    ThirdLibResearch opened #1739
  • Aug 14 13:36
    rwinch assigned #1676
  • Aug 14 13:20
    smitchell commented #1676
  • Aug 14 12:58
    HJK181 commented #1676
  • Aug 09 14:46
    pivotal-issuemaster commented #1738
  • Aug 09 14:46
    ThomasPerkins1123 opened #1738
  • Aug 08 10:22
    bencody commented #1442
  • Aug 07 18:47
    skolisetty commented #834
Jon Hines
and it seems to work really well. i just wasnt sure what the "correct" way to do it was
Abdlrhman Ibrahim
I'm an undergraduate and I've started learning spring boot recently and I need good tutorials to read about userDetailsServices thanks in advance
Abhishek Sharma
What is the best way to disable spring security if I cannot remove dependency ? Should I extends WebsecurityConfigutationAdaptor or exclude Security configuration?
João Pedro Leite S Lisboa
What is the difference between ClientDetailsServiceConfigurer and HttpSecurity?
Brian Quach
Not sure if this is the right place to ask this, but I'm trying to change an authenticated user's user group mid-session, is there a way to change a user's authorities on the fly?
@dsyer Hi, I am using spring-security-oauth2 . I am sending a request but I am getting the only previous token until the token has expired. But I don't need getting a single token for a user. I want to get a new token for every request. This for multiple users session. The problem is when I get a token, I use it in a device. But I have multiple devices with a single account. If I want to log out(invalidate the token), All my sessions are logging out. This is not a suitable way.
@Nasibulloh Did you get the solution?
Morning all. Bit of an opinion question here but, what are the use cases for RunAsmanager? It seems like a heavyweight solution and should be used sparingly?

@jzheaux Hi,
Is there an OAuth2 counterpart of this event AuthenticationSuccessEvent? I have a problem when using it. I use a password grant type to authenticate users, the problem is when the user enters wrong credentials an AuthenticationSuccessEvent is sent (because client credentials are correct), but I have this result:

    "error": "invalid_grant",
    "error_description": "Bad credentials"

Wich is the expected result.
I would like an event for a real success authentication (client + user). Thanks a lot for your help

Joshua Street
hopefully a simple question: I am trying to replicate one of the spring boot samples for oauth2 login. I have an application.yaml file defining my security oauth2 client information as described in the samples. However, I do not get a link in the login page to take me to my oauth2 provider
i only ever have a form login page
the samples do not have any sort of configuration other than that within the application.yaml so i am confused as to what else i need
Joshua Street
  port: 8080

    root: INFO
    org.springframework.web: INFO
    org.springframework.security: INFO

    cache: false
            client-id: your-app-client-id
            client-secret: your-app-client-secret
i am assuming that this application.yaml file will turn on client oauth2, such that when i access my app, there should be a link to authenticate with google
there is no link that shows up for me, only the standard login form
i have no configuration java classes that extend WebSecurityConfigurerAdapter
Joshua Street
figured it out. seems that the sample apps did not use the security-starter
er spring-boot-starter-security
I m trying to have an OAuth2Client using authorization_code grant type, I can authorize the user and redirect the url, but when I try to access the resource using OAuth2RestTemplate, I get 401 UnAuthorized
Is there something I need to do for the OAuth2RestTemplate to add the Authorization header ?
    public OAuth2User hello(@AuthenticationPrincipal OAuth2User oAuth2User){
        String response = oAuth2RestTemplate.getForObject("https://localhost:8090/me", String.class);
        return oAuth2User;

    public OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext) {
        return new OAuth2RestTemplate(azureDetails(),oauth2ClientContext);

    public AuthorizationCodeResourceDetails azureDetails() {
        AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
        return details;
@dgakhar Not yet
@sudhakarbetha Can someone help on this ?
@sudhakarbetha I realized I was using oauth1 version of urls, when I changed to oauth2 version of urls, I was able to get 200 OK response
Urls obtained from
Tejo Gowtham Katta
DefaultOAuth2ClientContext is in session scope....and it stores preserved state....to avoid CSRF attacks.....
is there any way, this can be done without session? Basically my app is distributed and I want to avoid sessions
Hi, can someone please point me to an example of authorization code grant flow where we connect to a third party auth server such as okta or norton and retrieve auth token
Hi, is there any possibility of timeout while uploading a file with large size (I'm using jwt token for authorization)?
Akshit Goyal
how to implement in oauth client in microservice architecture any leads?
Piotr Kucharski
Hello, is it possible to create OAuth2 PKCE server with Spring Security?
Andreas Falk
@Sketusky if you mean creating an OAuth2 authorization server with PKCE support then this feature is planned as part of Spring Security 5.3. See https://github.com/spring-projects/spring-security/milestone/147
Piotr Kucharski
@andifalk Thank you for your response. So it will be done in the next year. I need something to provide secure authentication and authorization for my application REST + Android. Will it be a bad idea to use OAuth2 without PKCE and then try to migrate?
Andreas Falk
@Sketusky Using Android client without PKCE takes the risk that an attacker can decompile the APK and get the client secret. Without PKCE and dynamic challenge+code verifier the attacker could misuse the auth code flow. Why don’t you just some other production grade authserver like for example Keycloak?
Akshit Goyal
Iam using oAuth2 google authorization server
and facing issue while redirecting from google login

provider: google
clientId: {client Id}
client-secret: {Client Secret}
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8090/home
scope: openid,profile,email
authorization-uri: https://accounts.google.com/o/oauth2/v2/auth
token-uri: https://oauth2.googleapis.com/token
user-info-uri: https://openidconnect.googleapis.com/v1/userinfo
user-name-attribute: sub
jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs

port: 8090

above is my application.yml file
and this is my configuration class

package com.example.Oauth;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;

public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override protected void configure(HttpSecurity http) throws Exception {

            /* .loginPage("/oauth2/authorization/google") */


while google redirecting getting this
any help??
unable to identify problem
did you tell google to redirect you to /oauth2/authorization/google ?
Akshit Goyal
it works when you add .oauth2Login().redirectionEndpoint().baseUri("/home") to your securityconfig, and it has to be accessible. But i just wouldn't make it custom
wait a minute, this is finally my chance to grab some stackoverflow points :D
Jan Heuer
Hey, when I want to customize the creation of a refresh token in https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java I need to write my own implementation right? There is no extension point for that?
Bruce Zhang
Infinite redirection after successful SSO authorization
This is my code. The database is configured.