i'm implementing a spring oauth2 login mechanism that act as a client to an external identity provider, my code was working well when using oauth2 without pkce. the requirements has changed and now i have to implement the challenge_code in the authorization request and the code_verifier in the token request. looking on spring documentation for add pkce was mandatory override the DefaultServerOAuth2AuthorizationRequestResolver, so i added this bean
@Bean
public ServerOAuth2AuthorizationRequestResolver pkceResolver(ReactiveClientRegistrationRepository repo) {
var resolver = new DefaultServerOAuth2AuthorizationRequestResolver(repo);
resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
return resolver;
}
another thing to do was add in the securityfilterchain configuration method the new resolver
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, ServerLogoutSuccessHandler handler, ServerOAuth2AuthorizationRequestResolver resolver, ReactiveClientRegistrationRepository repository) {
http.oauth2Login(auth -> auth.authorizationRequestResolver(resolver));
http.oauth2Login().authenticationFailureHandler(failureHandler());
http.cors().disable().csrf().disable()
.authorizeExchange()
.pathMatchers("/actuator/**", "/login/**","/logout.html")
.permitAll()
.and()
.authorizeExchange()
.anyExchange()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
http.logout().logoutSuccessHandler(handler);
return http.build();
}
now the challenge_code is in the request done to external idp. the idp redirects again in the application with the authorization_code and the state. Now the app should send a POST request to the idp provider /token endpoint but it fails with this error message
Suppressed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_client] FBTOAU229E Confidential clients accessing the token endpoint must authenticate using their registered credentials.
the logs say that there is a bad request
HTTP POST https://exampl.it/mga/sps/oauth/oauth20/token, headers={masked}
Writing form fields [grant_type, client_id, code, redirect_uri, code_verifier] (content masked)
Response 400 BAD_REQUEST, headers={masked}
Decoded [{error_description=FBTOAU229E Confidential clients accessing the token endpoint must authenticate using their registered credentials., error=invalid_client}]
how can i see that values? I tried with a request interceptor but is not catching nothing. I can't find a way to solve the problem and i don't really understand which is. PLEASE HELPP I'M 1 WEEK STUCK IN THIS PROBLEM :(
According to the message, you have a client authentication issue. Check
client-id,client-secretandclient-authentication-methodin your application properties.side note
According to the docs, you can do simpler: