cuba_ExternalOAuthTokenGranter does not work with property on


If I have enabled to store rest tokens in db and I am using external auth, then I validate the user, call loginTrusted of login service which gives me a session id. Now using this session id if I call ‘/v2/oauth/token’ using grant_type ‘external’, I get an error like ‘No security context bound to thread’.

Upon debugging I found that it is thrown from com.haulmont.cuba.restapi.ServerTokenStoreImpl.storeAccessTokenToDatabase where there is actually no authentication.

However if I use username/password with grant_type ‘password’ then at the same place where it failed, authentication is there as the user who requested log in. Also external auth works fine when save to db is turned off


Why do you use ExternalOAuthTokenGranter directly? You have to use OAuthTokenIssuer bean instead and implement custom authentication controller, it works with both in-memory and db-stored REST API tokens.

Check this manual page:

Finally, I found the error. As a workaround you could set Security context before calling oAuthTokenIssuer:

try {
    UserSession systemSession = loginService.getSystemSession(webAuthConfig.getTrustedClientPassword());
    AppContext.setSecurityContext(new SecurityContext(systemSession));
} catch (LoginException e) {

We will fix the issue in one of the next bug fix versions, see the issue link at the right. (2.8K)

Thanks a lot for the update.

I actually preferred not to use a custom controller for this. I am using the same ‘/v2/oauth/token’ controller with grant_type as ‘external’. I believe the issue is fixed in 6.6.4 so I will wait for that.


/v2/oauth/token will not work with grant_type as ‘external’. We don’t provide this functionality. How do you use it?

As you noticed, the issue is fixed in 6.6.4, we are planning to release it next week.


I am doing a phone and otp based auth. For that I am saving unique phone numbers for all cuba users. For OTP auth I do following steps: (This works if store rest token in db is disabled):

  1. Call generate otp api: This is a custom API which takes user phone number, validates it, generate an OTP, save it in one of my tables and send the same to user’s phone (which my app picks and fills in the phone login form)

  2. Validate OTP: This is also a custom API which receives phone and OTP. Here I validate that the OTP sent by app is same as what I generated in last step. If validated I call LoginService.loginTrusted on behalf of the user which gives me a session id which I return back in API response along with username.

  3. Call /v2/oauth/token with params: grant_type=external, username={username} (got from response of step 2), sessionId={sessionId} (got from response of step 2) which finally gives me an oauth token which I use for future calls from my app. (This is the step that gives error when I enable save token to db)

Let me know if more details needed or if I am missing something or can improvise.


Did you override our standard /v2/oauth/token endpoint ? Because we do not provide auth with sessionId.

Yes sorry I forgot to mention, but I have added following bean in rest-dispatcher-spring.xml

    <oauth2:authorization-server token-endpoint-url="/v2/oauth/token"
        <oauth2:password authentication-manager-ref="userAuthenticationManager"/>
        <oauth2:custom-grant token-granter-ref="cuba_ExternalOAuthTokenGranter"/>


I tested it on 6.6.4 just now and still getting same issue. I did not change anything else mentioned above except for the version.

Am I missing anything?


Could you attach full stacktrace or log files? In case of a custom controller and the recipe mentioned in docs everything works ok.

:ticket: See the following issue in our bug tracker: