Bad request at accessToken url in apereo CAS server

Question

I want to integrate my spring cloud gateway application with apereo CAS server(running on 8443 port) and I configure CAS server to act as Oauth2 authorization server. here is the flow;

• I request gateway

• It interacts authorization server(CAS here)

• Before interaction, it needs to login at there.

• I login with default cas-overlay-template credentials successfully.(casuser:Mellon)

• cas redirect to gateway with login/oauth2/code/login-client?code=OC-3-TURQDNdC4jXulPgK7ipJSzfoBLi-iaSv&state=aitARK42e0zx2iTFkeZxoRM2rLehXSex6gTIfZOHlwY%3D url.

• And [invalid_grant] error happened at gateway.

I check Spring Cloud Gateway trace logs and error happens at getting access token step.

[ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [33597172] Completed 302 FOUND, headers={masked}
[ctor-http-nio-2] o.s.h.s.r.ReactorHttpHandlerAdapter      : [33597172] Handling completed
[ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [33597172] HTTP GET "/login/oauth2/code/login-client?code=OC-14-F99FROWxhVYzpfxkmQqB1BAfP-oOfIfI&state=Y9XC3NNkPUvb649Tx0dIDG4ZyIInioAD-xT2ll3bfII%3D", headers={masked}
[ctor-http-nio-2] o.s.w.r.f.client.ExchangeFunctions       : [dee9e83] HTTP POST http://localhost:8443/cas/oauth2.0/accessToken, headers={masked}
[ctor-http-nio-2] o.s.http.codec.FormHttpMessageWriter     : [dee9e83] Writing form fields [grant_type, code, redirect_uri] (content masked)
[ctor-http-nio-2] o.s.w.r.f.client.ExchangeFunctions       : [dee9e83] Response 400 BAD_REQUEST, headers={masked}
[ctor-http-nio-2] o.s.http.codec.json.Jackson2JsonDecoder  : [dee9e83] Decoded [{error=invalid_grant}]

Clearly, it cannot request to access_token due to bad request. but, i can't find what valid parameters are. And, I don't request manually, instead it happens automatically at behind the scene. where is my mistake? thanks for your helps.

Here is my spring cloud gateway configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          login-client:
            provider: uaa
            client-id: first-client
            client-secret: noonewilleverguess
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
        provider:
          uaa:
            authorization-uri: http://localhost:8443/cas/oauth2.0/authorize
            token-uri: http://localhost:8443/cas/oauth2.0/accessToken
            user-info-uri: http://localhost:8443/cas/oauth2.0/profile
            prefer-token-info: false
            client-authentication-scheme: form

cas oauth2 registered service:

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "first-client",
  "clientSecret": "noonewilleverguess",
  "serviceId": "http://localhost:8085/.*",
  "name": "OAuthService",
  "bypassApprovalPrompt": true,
  "id": 1003,
  "supportedGrantTypes": [ "java.util.HashSet", [ "authorization_code" ] ],
  "supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ]
}

The resources I used :

https://apereo.github.io/2019/02/19/cas61-as-oauth-authz-server/

https://apereo.github.io/cas/5.3.x/installation/OAuth-OpenId-Authentication.html#responsegrant-types

Answer 1

okay, the question was actually simple. spring cloud gateway fills 3 fields (grant_type, code, redirect_uri) automatically but cas apereo server has api which takes 5 fields (grant_type, code, redirect_uri and also client_id, client_secret). to address this problem, you can define your api which takes 3 parameters at cas and rest of logic will be same. the only things you do is to override access token api field behaivour.