Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • Oct 20 18:23
    jgrandja commented #1941
  • Oct 20 18:20
    jgrandja closed #1941
  • Oct 20 18:20

    jgrandja on main

    Polish logs Closes gh-1941 Polish gh-1941 (compare)

  • Oct 20 18:14
    jgrandja labeled #1941
  • Oct 20 18:14
    jgrandja labeled #1941
  • Oct 20 18:14
    jgrandja milestoned #1941
  • Oct 20 18:13
    jgrandja assigned #1941
  • Oct 13 18:45
    jgrandja edited #1941
  • Oct 13 18:45
    jzheaux opened #1941
  • Oct 06 15:05
    alexbaxter commented #1033
  • Oct 04 14:16

    jgrandja on main

    Update to org.apache.httpcompon… Update to jackson2 (compare)

  • Oct 04 13:41
    jgrandja labeled #1929
  • Oct 04 13:41
    jgrandja unlabeled #1929
  • Oct 04 13:41
    jgrandja assigned #1929
  • Oct 04 13:41
    jgrandja closed #1929
  • Oct 04 13:41
    jgrandja commented #1929
  • Oct 04 13:39
    jgrandja labeled #1930
  • Oct 04 13:39
    jgrandja unlabeled #1930
  • Oct 04 13:39
    jgrandja assigned #1930
  • Oct 04 13:39
    jgrandja closed #1930
ravi kumar chechani
Any idea
Using below configs
protected void configure(HttpSecurity http) throws Exception {
.addFilter(new UserNamePasswordAuthFilter(authenticationManager()))
.failureHandler(new LoginFailureHandler("/login?error=true"))
.logoutSuccessHandler(new LogoutSuccessHandler())
.authenticationEntryPoint(new LoginEntryPoint(loginOrigin));
Rishikesh Chiliveri
How to add support for oauth2 configuration metadata endpoint (issuer-uri) in Auth server? I searched all around but not able to find it.
Thank you
Stefan Rempfer
@rishisc Perhaps this repository with samples could help you https://github.com/srempfer/spring-security-oauth2-samples
Rishikesh Chiliveri
@srempfer Thank you
James Howe
I've got everything for an auth server configured and set up already. I'm trying to use the ClientRegistrationService interface, but it seems to be impossible because the JdbcClientDetailsService is exposed as a jdk Proxy for only ClientDetailsService and cannot be cast.
I can't override the bean definition either, as everything goes via ClientDetailsServiceConfiguration, which seems to serve no purpose other than getting in the way
hey everyone, I'm reading this guide "OAuth2 Boot" and I'm a little confused. I'm reading section 1.8 cause I want to implement one prototype application containing both authorization and resource server.
1) The guide is missing to describe how to inject a KeyPair. I did like this, is it correct? Where do you recommend placing it?
2) 1.8.1: the guide introduces JwkSetConfiguration extends AuthorizationServerConfigurerAdapter; I already have a class extending AuthorizationServerConfigurerAdapter and this is causing illegal state exceptions. I defined @Order(99) to solve, but is this correct?
3) 1.8.2: the guide defines HttpSecurity through a AuthorizationServerSecurityConfiguration, shouldn't this be in a class extending WebSecurityConfigurerAdapter? what's the difference?
4) 1.8.2: the guide shows @Import(AuthorizationServerEndpointsConfiguration.class). Why should I do that? Again, is it correct to have 2 classes extending AuthorizationServerEndpointsConfiguration? My project has these 2 configurations.
5) 1.8.2: why are they doing super.configure(http);?
James Howe
3) AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter to save you some code
2) You should only have one. Don't write two of them.
4) So that it works
5) So the configuration from the superclass is included
Hi, i am trying to integrate Spring Security into a Struts based legacy project. I am getting UserRedirectRequiredException. The Exception being thrown is not handled by OAuth2ClientContextFilter. Because of that the request is not able to proceed further. Can someone suggest any workaround for this. The OAuth2ClientContextFilter is also getting registered during startup. But when exception is thrown, it is not handling it. Instead tomcat is throwing the exception
Almir James Lucena
I have been reading the documentation for Spring Security's oauth. I've seen that there are two very similar filters related to oauth and authorization response. OAuth2AuthorizationCodeGrantFilter and OAuth2LoginAuthenticationFilter. What's the actual difference of the two?
2 replies

I am trying to setup an oauth 2.0 based webclient for essentially an app to app authentication as an Oauth2 client.

Since this is a two step process - the token https://<my-domain>/oauth/token/ gives the following response as part of the Netty response (OAuth2AccessTokenResponse)

status = {HttpResponseStatus@8335} "302 "
version = {HttpVersion@8336} "HTTP/1.1"
headers = {DefaultHttpHeaders@8309} "DefaultHttpHeaders[Connection: keep-alive, Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Date: Mon, 10 May 2021 09:37:31 GMT, Expires: 0, Location: https://<my-domain>/login, Pragma: no-cache, Strict-Transport-Security: max-age=31536000 ; includeSubDomains, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection: 1; mode=block, X-Cache: Miss from cloudfront, Via: 1.1 4c6f3dc807d213a0da966381e4886b08.cloudfront.net (CloudFront), X-Amz-Cf-Pop: MIA3-C2, X-Amz-Cf-Id: GMe-UuqqIXTkD1LZuES7LYQAgLWizBsN8RJ1ieGarEj6mEst9gLKbg==, content-length: 0]"
decoderResult = {HttpMessageDecoderResult@8337} "success"


My Oauth2 based webclient setup

WebClient getAppDevOauth2WebClient(ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth =
new ServerOAuth2AuthorizedClientExchangeFilterFunction(reactiveOAuth2AuthorizedClientManager);
// (optional) explicitly opt into using the oauth2Login to provide an access token implicitly
// oauth.setDefaultOAuth2AuthorizedClient(true);
oauth.setAuthorizationFailureHandler((oAuth2AuthorizationException,principal,attr) -> {
LOG.error("oAuth2AuthorizationException : {} and principal : {} and attr :{}"
, oAuth2AuthorizationException.getMessage(), principal.getName(),attr.toString());
return null;

    return WebClient.builder()

public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
        ReactiveClientRegistrationRepository clientRegistrationRepository,
        ReactiveOAuth2AuthorizedClientService authorizedClientService) {

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =

    AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
            new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
                    clientRegistrationRepository, authorizedClientService);

    return authorizedClientManager;

with exception : org.springframework.security.oauth2.client.ClientAuthorizationException: [invalid_token_response] Empty OAuth 2.0 Access Token Response

This is the final exception I get while the intermediate step of getting the actual bearer token is giving me 302 status code with no real Oauth2 Bearer token.


This is a SO question I have asked for Spring Oauth2.0 based config and not able to generate the bearer token



What’s EQcoin?
EQcoin is next generation blockchain ecosystem. EQcoin is open source, shared, distributed public digital ledger, Peer-to-Peer electronic cash, smart contracts, DApps and value exchange network ecosystem. EQcoin enables you easily and safely store and exchange values, deploy smart contracts and DApps. EQcoin is the original value exchange resource of EQcoin ecosystem. As a rare resource EQcoin has its inherent value just like gold, platinum and diamonds. EQcoin blockchain services uses Peer-to-Peer technology to operate. Anyone can run a plant node or full node to provide EQcoin blockchain services through crowdsourcing. The evolution of EQcoin is based on crowdsourcing. Everyone can improve and perfect EQcoin through EQcoin Improvement Proposal. EQcoin created via EQcoin planet.

Twitter: https://twitter.com/EQcoin
Facebook: https://www.facebook.com/EQcoin-104929208435776
Gitter.im: https://gitter.im/EQcoin/EQcoinCore

If you are interested in joining the EQcoin(https://github.com/EQcoin) core developer team, please send your GitHub username to https://gitter.im/EQcoin/EQcoinCore I will invite you to join our organization.
What can you get in return:
According to your contribution, you can get the corresponding EQcoin as a reward.

If you have any questions or suggestions, you can contact me via my email(10509759@qq.com) or WeChat(nju200006).

Thank you!

Rishikesh Chiliveri
Hi, I am trying to implement session concurrency with one active session and invalidate a session on maxidle using oauth2 authentication code flow. How can I achieve concurrency with my oauth2 clients who logged in using oauth2Login ?. Also session invalidation only occurs when my refresh token gets expired. I am using spring cloud gateway as a client.
Bassem Khadige
Hello is it possibe to define a userAuthoritiesMapper in a oauth2-resource-server configuration ? I need to define the authorities from a "roles" array defined in the userAttributes
Cesar Manuel Cruzata De la Cruz
Hello. I have Keycloak, Gateway services and a Reactjs SPA, I need to develop authentication and authorization. So Authorization Code Flow, where frontend application (Reactjs) and bakckend (Gateway application) are the same confidential client, is that correct? So should both applications be running with the same URL and the same PORT and be located in the same place? So this gateway only responds to the frontend app? Will other frontend applications not be able to make requests?
ReactiveOAuth2AuthorizedClientService' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
i face this issue then using the wetclient to init bean WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations, ReactiveOAuth2AuthorizedClientService authorizedClientService) {
if only in the demo project it works fine. but using in the porject , the bean will not be init.
Hello, are there any ideas how to introspect (or validate) tokens of public clients, meaning they do not have client secret to authenticate for /introspect?
eric jonas

I am using Spring Boot 2.5.3

my pom



Got error




The bean 'tokenRelayGatewayFilterFactory', defined in class path resource [org/springframework/cloud/security/oauth2/gateway/TokenRelayAutoConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/cloud/gateway/config/GatewayAutoConfiguration$TokenRelayConfiguration.class] and overriding is disabled.


Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true

Any help? is this a known issue?

Konstantin Bläsi
I would try to exclude one of those auto configuration classes, https://www.baeldung.com/spring-data-disable-auto-config has some examples
eric jonas
@konstantinblaesi your solution is for me?
eric jonas
@konstantinblaesi okay, guess you are referring to me. Anyway I follow the action and added this to app properties -> spring.main.allow-bean-definition-overriding=true .. now it works..
Konstantin Bläsi
Emna Mtibaa
I have this problem, who can help me please ?
2021-08-08 18:48:00.592 DEBUG 6692 --- [tp1542747725-22] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Sun Aug 08 18:48:00 CET 2021, principal=xxx, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Accès refusé}]
Donald F Coffin
Will support for the Spring-Authorization-Server be added to the Initializr?
Aniket Singla

Hi Everyone, I am currently trying to implement Reactive Spring security in one of my application. The issue is , in the default implementation, ReactiveRemoteJWKSource uses a cache for caching the jwk set. In my appliction I can have multiple tenants with each tenant having different JWT. I do have the option to configure a custom web client with the help of NimbusReactiveJwtDecoder.withJwkSetUri().webclient() . With help of custom web client I am able to pass required headers for each client for accessing JWK.

But I am not able to specify the "ReactiveRemoteJWKSource source" used by processor().
The implementation of ReactiveRemoteJWKSource uses a cache which does not support different tenants. Also all these classes are in default namespace a custom implementation becomes somewhat tricky. Can someone suggest a good way to cache jwk's according to different tenants? Or if we disable cache, then also my issue will be resolved (though performance will be impacted)


Hi Everyone, am currently looking into integrating Spring Authorization Server with an external openid provider. The idea is to get the id-token from external idp (github, google etc.) and based on this (create user in db if not exist etc.) and return locally generated Jwt token.

Currently i've implemented a Spring Authorization Server with a Resource server - but fail to see how i can hook the Spring Authorization Server up with an external id provider to create a token the Resource Server can utilize.

Any pointers are apperciated.

Hello, I'm also interested how to use Spring Authorization Server
can you share some good tutorial about the setup that you had used?
@rcbandit111: The one i've used (and the most up-to-date) is in the samples directory of the project itself:

Hello guys,

Please join our Java, Spring Boot and Microservices group.


Philip Bannon

Hi All,

I have a question around multi-Tenant. I have two Tenants in Auth0 so two different issuer URI's. I've seen from Spring security I can easily add more than one iss url by doing the following in my security config class:

    protected void configure(HttpSecurity http) throws Exception {
        JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver
                ("https://xxxxxx-dev.eu.auth0.com/", "https://xxxxxx2-dev.eu.auths0.com/");

However I have a method which validates the aud in the token by doing the following:

    JwtDecoder jwtDecoder() {
        By default, Spring Security does not validate the "aud" claim of the token, to ensure that this token is
        indeed intended for our app. Adding our own validator is easy to do:

        NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)

        OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);


        return jwtDecoder;

How can I have this work with BOTH issuer URI's....any help would be very much welcome as I'm going crazy here trying to figure this out :D



Hello there, I am facing some issues verifying my ID Token from the frontend in the backend. My application.yaml configuration is like this:

spring.security.oauth2.resourceserver.jwt.issuer-uri = https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration
spring.security.oauth2.resourceserver.jwt.jwk-set-uri = https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/key

I already set my app registration to v2 ID Tokens and the audience claims match when I receive the ID Token from the frontend. Yet I get the following error during the filtering process: The aud claim is not valid.

Is using login.microsoftonline.com the correct way, or should I use sts.windows.net endpoint? The problem with the later URI is that spring doesn't find it.

Thank you

SivLay Yi

Hello everyone, I have an issue with Spring Oauth Access Token.


I set 1mn expire token in DB. After i login until expire token. And i login again and refresh. That said 401 error. When i check token in DB. it didn't change with new token. How can i check that?

Cesar Manuel Cruzata De la Cruz
Hello everyone, I have an issue with ReactiveOAuth2AuthorizedClientManager
Could not autowire. No beans of 'ReactiveOAuth2AuthorizedClientManager' type found
I am using:
Patrick Gotthard
Hi, I have to add support for multiple OIDC issuers to my application and already configured a JwtIssuerAuthenticationManagerResolver. The authentication works fine but my clients don't get any GrantedAuthority. With the previous http.oauth2ResourceServer().jwt() everything worked well in combination with a custom JwtAuthenticationConverter. What has to be done to get my custom JwtAuthenticationConverter working again?
I want to get OAuth2 token via access_token_url, client_id, client_secret, grant_type and resource,
while creating ClientRegistration, how can I add resource/audience for Oauth2 request??