I'm setting up a Spring Authorization Server (Spring Boot 3.4.1) and encountering an invalid_client error when requesting an access token for a pre-configured client. Here's my setup:
Configration
@Bean
fun registeredClientRepository(): RegisteredClientRepository {
val adminClient = RegisteredClient.withId("admin-client")
.clientId("admin-client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope("client.create")
.build()
return InMemoryRegisteredClientRepository(adminClient)
}
@Bean
@Order(1)
@Throws(Exception::class)
fun authorizationServerSecurityFilterChain(
http: HttpSecurity, jdbcOperations: JdbcOperations, registeredClientRepository: RegisteredClientRepository
): SecurityFilterChain {
val authorizationServerConfigurer = OAuth2AuthorizationServerConfigurer.authorizationServer()
http.authorizeHttpRequests { it.requestMatchers("/auth/**").permitAll() }
.securityMatcher(authorizationServerConfigurer.endpointsMatcher).with(
authorizationServerConfigurer
) { authorizationServer ->
authorizationServer.registeredClientRepository(registeredClientRepository(jdbcOperations))
.authorizationService(JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository))
.authorizationConsentService(
JdbcOAuth2AuthorizationConsentService(
jdbcOperations,
registeredClientRepository
)
).authorizationServerSettings(endpoints).tokenGenerator(JwtGenerator(NimbusJwtEncoder(jwkSource())))
}
return http.build()
}
POST /auth/oauth2/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW4tY2xpZW50OnNlY3JldA== # Base64("admin-client:secret")
grant_type=client_credentials&scope=client.create
Observations
The client admin-client exists in the database with secret secret (stored plaintext).
Tried both CLIENT_SECRET_BASIC (via header) and CLIENT_SECRET_POST (via body) – same error.
Verified token endpoint URL matches AuthorizationServerSettings.
Error
{
"error": "invalid_client"
}
Question - What could cause Spring Authorization Server to reject valid client credentials despite correct configuration? Are there hidden requirements for client secret storage or authentication method validation?
I'm setting up a Spring Authorization Server (Spring Boot 3.4.1) and encountering an invalid_client error when requesting an access token for a pre-configured client. Here's my setup:
Configration
@Bean
fun registeredClientRepository(): RegisteredClientRepository {
val adminClient = RegisteredClient.withId("admin-client")
.clientId("admin-client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope("client.create")
.build()
return InMemoryRegisteredClientRepository(adminClient)
}
@Bean
@Order(1)
@Throws(Exception::class)
fun authorizationServerSecurityFilterChain(
http: HttpSecurity, jdbcOperations: JdbcOperations, registeredClientRepository: RegisteredClientRepository
): SecurityFilterChain {
val authorizationServerConfigurer = OAuth2AuthorizationServerConfigurer.authorizationServer()
http.authorizeHttpRequests { it.requestMatchers("/auth/**").permitAll() }
.securityMatcher(authorizationServerConfigurer.endpointsMatcher).with(
authorizationServerConfigurer
) { authorizationServer ->
authorizationServer.registeredClientRepository(registeredClientRepository(jdbcOperations))
.authorizationService(JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository))
.authorizationConsentService(
JdbcOAuth2AuthorizationConsentService(
jdbcOperations,
registeredClientRepository
)
).authorizationServerSettings(endpoints).tokenGenerator(JwtGenerator(NimbusJwtEncoder(jwkSource())))
}
return http.build()
}
POST /auth/oauth2/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW4tY2xpZW50OnNlY3JldA== # Base64("admin-client:secret")
grant_type=client_credentials&scope=client.create
Observations
The client admin-client exists in the database with secret secret (stored plaintext).
Tried both CLIENT_SECRET_BASIC (via header) and CLIENT_SECRET_POST (via body) – same error.
Verified token endpoint URL matches AuthorizationServerSettings.
Error
{
"error": "invalid_client"
}
Question - What could cause Spring Authorization Server to reject valid client credentials despite correct configuration? Are there hidden requirements for client secret storage or authentication method validation?
Share Improve this question edited Feb 2 at 21:11 dur 17k26 gold badges89 silver badges143 bronze badges asked Feb 2 at 20:07 androidDeweleperandroidDeweleper 1157 bronze badges 01 Answer
Reset to default 1With a setup in line with Defining Required Components and additional code from OP, this curl-command is working as expected.
curl -X POST http://localhost:9000/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-u "admin-client:secret" \
-d "grant_type=client_credentials" \
-d "scope=client.create"
I notice that OP is using POST /auth/oauth2/token.
I can reproduce the invalid_client error when using wrong client secret. In my setup, I have a BCryptPasswordEncoder bean, and I need to encrypt the client secret like shown below:
@Bean
public RegisteredClientRepository registeredClientRepository(
PasswordEncoder passwordEncoder) {
var registeredClient = RegisteredClient
.withId(UUID.randomUUID().toString())
.clientId("admin-client")
.clientSecret(passwordEncoder.encode("secret"))
// remaining setup left out
With .clientSecret("{noop}secret"), I get invalid_client.
Tested with this auth-server, make your required changes. Please note that the context path is /auth-server for this app.