Getting unauthorized when refreshing token if multiple authentication provider are registered

[conteit]

I'm trying to create an oauth2-enabled auth server which is able to authenticate users with two authentication providers: the former is in-memory (for default user-passwords) the latter is an external LDAP server (by now i'm using the example from gs-authenticating-ldap-complete).

I'm able to successfully retrieve an access token for any user, but i'm only able to use the refresh token for retrieving a new token for any user that is registered in the LDAP server. While everything is fine if I try to refresh an in-memory user's token, with the LDAP ones I get: 401 Unauthorized { "error": "unauthorized", "error_description": "ben" } where "ben" is the user id.

As far as I know (after some debugging) the exception occurs in DefaultTokenServices.java:150.

In the following I report the configuration classes I'm using.

@Configuration
@EnableWebSecurity
@Order(6)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().csrf().disable();
    }

    @Configuration
    protected static class DefaultUsersAuthConfiguration extends GlobalAuthenticationConfigurerAdapter {

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN").and().withUser("guest")
                    .password("guest").roles("USER");
        }

    }

    @Configuration
    protected static class LDAPAuthConfiguration extends GlobalAuthenticationConfigurerAdapter {

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth.ldapAuthentication().userDnPatterns("uid={0},ou=people").groupSearchBase("ou=groups")
                    .userDetailsContextMapper(new MyLdapUserDetailsMapper()).contextSource()
                    .ldif("classpath:test-server.ldif");
        }

    }

    protected static class MyLdapUserDetailsMapper extends LdapUserDetailsMapper {

        @Override
        public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
                Collection<? extends GrantedAuthority> authorities) {
            final UserDetails originalUser = super.mapUserFromContext(ctx, username, authorities);

            final Set<GrantedAuthority> newAuth = new HashSet<>(originalUser.getAuthorities());
            newAuth.add(new SimpleGrantedAuthority("ROLE_EXTRA_ROLE"));

            return new User(originalUser.getUsername(), originalUser.getPassword(), originalUser.isEnabled(),
                    originalUser.isAccountNonExpired(), originalUser.isCredentialsNonExpired(),
                    originalUser.isAccountNonLocked(), newAuth);
        }

    }

}

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends OAuth2AuthorizationServerConfiguration {

    @Autowired
    private TokenStore tokenStore;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("acme").secret("acmesecret")
                .authorizedGrantTypes("password", "refresh_token", "client_credentials")
                .scopes("read", "write", "openid").autoApprove(true);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore);
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired
        private TokenStore tokenStore;

        @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http.authorizeRequests().antMatchers("/me").authenticated();
            // @formatter:on
        }

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
            resources.tokenStore(tokenStore);
        }
    }

}

I'm using spring-boot 1.3.2.RELEASE. What am I missing?

[quintonm]

I ran into a similar problem recently with multiple authentication providers. Your problem stems from the registration of the default user details service. The InMemoryUserDetailsManagerConfigurer will register a user details service but the LdapAuthenticationProviderConfigurer does not (even if it did, you can't have two).

I don't remember the exact details but when using the refresh token, the userDetailsService is used to load the user. This is done so that a check can be performed to see if the user's account is still enabled, not locked, etc. Since the user details service only searches in in memory user store, the refresh token request fail for the ldap users.

To get around this issue, I created a user details service that queried both authentication providers in the same order that the ProviderManager queried them. This might not be the ideal solution but it worked for me.

[kinman-enphase]

Can anyone confirm whether quintonm's solution is the recommended approach? I'd rather get DefaultTokenServices to use the AuthenticationManager that has my custom AuthenticationProvider, but maybe I'm going about this the wrong way.

[miguelchico]

Any update about this?

I'm in the same situation. The solution proposed by @quintonm works.... but I don't know if it's the only way.

[conteit]

Yes, I can confirm that it works.

I defined a custom UserDetailsService for composing multiple UserDetailsServices and I passed it to the AuthorizationServerEndpointsConfigurer.

@Configuration
public class OAuth2RefreshConfig {

    @Bean
    public MyUserDetailsService userDetailsService() {
        return new MyUserDetailsService();
    }

    public static class MyUserDetailsService implements UserDetailsService {

        private List<UserDetailsService> uds = new LinkedList<>();

        public MyUserDetailsService() {
        }

        public void addService(UserDetailsService srv) {
            uds.add(srv);
        }

        @Override
        public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
            if (uds != null) {
                for (UserDetailsService srv : uds) {
                    try {
                        final UserDetails details = srv.loadUserByUsername(login);
                        if (details != null) {
                            return details;
                        }
                    } catch (UsernameNotFoundException ex) {
                        assert ex != null;
                    } catch (Exception ex) {
                        ex.printStackTrace();
                        throw ex;
                    }
                }
            }

            throw new UsernameNotFoundException("Unknown user");
        }

    }

}

...

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends OAuth2AuthorizationServerConfiguration {

    @Autowired
    private MyUserDetailsService myUserDetailsService;

    ...

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore).authenticationManager(authenticationManager)
                .userDetailsService(myUserDetailsService);
    }
}

Then I attached the InMemoryUserDetailsService and LdapUserDetailsService to the custom one.

@Configuration
    protected static class DefaultUsersAuthConfiguration extends GlobalAuthenticationConfigurerAdapter {

        @Autowired
        private MyUserDetailsService uds;

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication().withUser("admin").password("manager").roles("ADMIN").and().withUser("guest")
                    .password("guest").roles("USER").and().getUserDetailsService();

            uds.addService(auth.getDefaultUserDetailsService());
        }

    }

    @Configuration
    protected static class LDAPAuthConfiguration extends GlobalAuthenticationConfigurerAdapter {

        @Autowired
        private MyUserDetailsService uds;

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth.ldapAuthentication().passwordCompare().passwordAttribute("userPassword").and()
                    .userDnPatterns("uid={0},ou=people").groupSearchBase("ou=groups")
                    .userDetailsContextMapper(userDetailsMapper()).contextSource().ldif("classpath:test-server.ldif");
        }

        @Bean
        public UserDetailsService ldapUserDetailsService() {
            final DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(
                    "ldap://127.0.0.1:33389/dc=springframework,dc=org");
            contextSource.afterPropertiesSet();

            final FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch("", "uid={0}", contextSource);
            final LdapUserDetailsService service = new LdapUserDetailsService(userSearch);
            service.setUserDetailsMapper(userDetailsMapper());
            uds.addService(service);

            return service;
        }

        @Bean
        public LdapUserDetailsMapper userDetailsMapper() {
            return new MyLdapUserDetailsMapper();
        }

    }

[kinman-enphase]

We know that it works. We want to know if it is the recommended solution.

[miguelchico]

That's the point. This solution works (I already wrote my own), but I would like to know if there is a different way to do that.
Because for me it's a bit tricky. You have to configure the same in two different places and you have to "hack" the user detail services.
It doesn't sound straitforward for me.

@dsyer Is there any other option?

[EmilIfrim]

@dsyer No update on this issue?
I have 2 (but can be more) different AuthenticationProviders and because I use refresh_token setting, the framework requires UserDetailsService to be provided. As it is now, it's not straightforward to provide different UserDetailsService implementation when using custom Authentication Providers.

In the example above what if there is the same username in both systems?

[jgrandja]

Composing a specialized UserDetailsService with 2 (or more) UserDetailsService delegates that are ultimately associated with different AuthenticationProvider's is not the ideal or recommended solution IMO. It's more complicated then it should be.

I'm going to put together a sample of the original configuration from @conteit to reproduce the issue and than try to come up with a solution that is much easier to configure.

Back shortly...