Question

Able to hit the secured endpoint from browser but not from postman/insomnia getting 401 unathorized

pom dependency: spring boot starter security spring boot starter oauth2 client

application.properties:

spring.security.oauth2.client.registration.qwerty=qwerty
spring.security.oauth2.client.registration.qwerty.client-id=qwe
spring.security.oauth2.client.registration.qwerty.redirect-uri=http://qwe.com:9090/welcome/callback
spring.security.oauth2.client.registration.qwerty.scope=openid
spring.security.oauth2.client.registration.qwerty.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.qwerty.issuer-uri=https://qwerty.com
spring.security.oauth2.client.provider.qwerty.authorization-uri=https://qwerty.com/as/authorization.oauth2
spring.security.oauth2.client.provider.qwerty.token-uri=https://qwerty.com/as/token.oauth2

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

@Bean
public SecurityFilterChain securityFilterChain(HTTPSecurity http) throws Exception{

http.csrf().disable()
.authorizaHttpRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.redirectionEndpoint()
.baseUri("/callback");

return http.build();

}
}

this is the security configuration in my spring boot MVC application suppose now endpoint: http://qwe:9090/welcome/name if I open this above endpoint in the browser it returns the name but if I try to hit this endpoint in Postman it says 401 not authorized how to hit the above endpoint in Postman if I have the above security configuration in my application? authorization server is using Kerberos for authentication.

 2  70  2
1 Jan 1970

Solution

 1

Request to a Spring OAuth2 client with oauth2Login are authorized with a session cookie, not with Bearer tokens.

Postman OAuth2 features are made to fetch a token from an authorization server and then query resource servers (most frequently, REST APIs behind a gateway).

Postman has a Chrome plug-in to pick the session cookie (login with Chrome and then attach Chrome's session cookie to Postman requests). This is adapted to send requests to clients with oauth2Login (frequently a gateway with the TokenRelay filter).

You can find video tutorials to ease the usage of a browser session cookie with a Postman request. Something easier (like the plugin mentioned above) than copying the cookie value from the browser debugging tools and pasting it in Postman.

P.S.

As it is authorized with sessions, OAuth2 clients with oauth2Login are vulnerable to CSRF attacks. Never disable protection against CSRF in a Security(Web)FilterChain with oauth2Login.

2024-07-15
ch4mp

Solution

 0

When you hit from browser check request parameters in network tab which is going with request. And provide same parameters in postman also.

2024-07-25
Vijay chaurasiya