SPA + API + Spring Boot access_token authentication not working

JWT.io
, ,
1

Sorry if there is another question that addressed this please let me know but I was not able to find anything.

I have a SPA an API and a Spring Boot backend that is configured using instructions from here: Secure your Single Page Apps (SPAs) with Spring Boot and OAuth 2.0

The problem that I have is if I login using the SPA and get an access_token , when I send that access token to the Spring Backend I am getting a 401 Unauthorised with body:

{
    "error": "invalid_token",
    "error_description": "Invalid access token: <Access-Token>"
}

And a response header:

WWW-Authenticate: Bearer realm="https://<My-Custom-Domain>.com/api", error="invalid_token", error_description="Invalid access token: <Access-Token>"

My Spring configuration:

auth0:
  domain: auth0.<My-Custom-Domain>.com
  clientId: ************
  
security:
    oauth2:
      resource:
        id: https://<My-Custom-Domain>.com/api
        jwk:
          keySetUri: https://auth0.<My-Custom-Domain>.com/.well-known/jwks.json

SpringSecurity class:

	@Value("${spring.security.oauth2.resource.id}")
	private String resourceId;

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
				.mvcMatchers("/api/public").permitAll()
				.mvcMatchers("/api/**").authenticated()
				.anyRequest().permitAll();
	}

	@Override
	public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
		resources.resourceId(resourceId);
	}

SPA config:

	const [isLoading, setLoading] = useState(true);
	const [domain, setDomain] = useState();
	const [clientID, setClientID] = useState();
	const [audience, setAudience] = useState();
	
	useEffect(() => {
		axios.get("http://localhost:8080/config")
		.then( (response) => {
		  setDomain(response.data.domain);
		  setClientID(response.data.clientID);
		  setAudience(response.data.audience);  
		  setLoading(false);
		});
	}, []);

SPA configuration on dashboard:
The clientId on the dashboard matches the one used in the spring config

I also have a custom domain configured on my tenant.

I am not sure if this is correct though: keySetUri: https://<My-Custom-Domain>.com/.well-known/jwks.json

Thank you very much.

3

Hi there @alin.bistrian!

Thanks for bunch for sharing your code, very helpful :slight_smile:

That’s great that you’re successfully getting an access token and are able to hit your backend, progress! This type of error is usually do to a configuration issue somewhere - On first glance it looks like their might be a mismatch between the resourceId in your Spring config vs. the audience config passed to the SPA. Those should be the same, both the API Identifier listed for the API you created in your dashboard. I’d refactor to make sure those are the same and go from there.

The quickstart is grabbing the environment variables (including the audience) from /config:

@RequestMapping(value = "/config", method = RequestMethod.GET, produces = "application/json")
  @ResponseBody
  public String getAppConfigs() {
    return new JSONObject()
      .put("domain", domain)
      .put("clientID", clientId)
      .put("audience", resourceId)
      .toString();
  }

Keep us posted!

4

Hi @tyf thank you very much for your reply. I have refactor the code to read the config from the server and I have updated the post above to 100% match what I have. Can you please have another look, it still does not work.

Thank you very much.

Kind regards,
Alin

5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.