Recently we updated one of our internal applications from Spring Boot 1.5 to 2.1, which includes an update of Spring Security. After the update the OAuth2 security started to fail in the backend, it stopped recognizing the authentication.

Our setup

The project is an Angular 4 application. It uses angular2-oauth2 (1.3) in the frontend, and spring-boot-security and spring-security-oauth2 on the backend. The frontend is responsible for authentication with our Bitbucket account. This information is then sent to the backend via a 'bearer' authentication token. We have a separate class extending WebSecurityConfigurerAdapter, annotated with @EnableOAuth2Client, to set our security settings.

Updating the backend

Updating Spring Boot to 2. also includes an update of Spring Security from 4.2 to 5.1. To be up to date with Spring Security OAuth2 we updated it from 2.1.2 to 2.3.4. Upon restarting the application we were faced with an error that there is no bean of type org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails, which is used to create an OAuth2RestTemplate for communicating with Bitbucket. We found a hint somewhere that we need to add a ClientCrendentialsResourceDetails bean to our project. We did add the bean and now we could start the application. The next problem surfaced quickly: the frontend was still able to authenticate with Bitbucket, but the backend no longer recognized the authenticity token sent by the frontend. Checking against the previous version of the application showed that it used to use a AuthorizationCodeResourceDetails class. We then changed the bean to be of this type. The authentication was still not working.

Is it spring security?

Considering the wide use of Spring Security and OAuth2, we felt that it probably had to do with some specifics in the configuration of our application, or a major change in Spring Security itself. To verify that this was the case we created an empty project, following the first part of the Spring Boot and OAuth2 tutorial. We replaced the OAuth settings with our settings for Bitbucket. Running this application worked! So that means we had to change something in our project.

Updating our security

The main difference between the sample application from the tutorial and our application lies in the use of Spring Security related dependencies, and the tutorial uses a different annotation to enable security. We updated our Spring OAuth2 dependency from org.springframework.security.oauth:spring-security-oauth2 to org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure and updated our WebSecurity implementation to have the annotation @EnableOAuth2Sso. This got our project in the same state as the tutorial, from a Spring Security perspective. This fixed our issue! We could now login again in the frontend, and the backend recognized the security token again and worked as before. While writing this blog, I did a quick check with the old @EnableOAuth2Client annotation. This also works, so it is not necessary to replace it.

shadow-left