Spring security Oauth2 Resource Owner Password Credentials Grant

前端 未结 2 712
Happy的楠姐
Happy的楠姐 2021-02-06 15:50

Have just installed spring security oauth2 in my eclipse IDE. The service am trying to implement will be consumed by second party users through their installed applications henc

2条回答
  •  予麋鹿
    予麋鹿 (楼主)
    2021-02-06 16:01

    It seems like Spring OAuth2 doesn't support the password grant type for a secret-less OAuth2 client. This might be as per the OAuth2 spec: http://tools.ietf.org/html/rfc6749#section-4.3.2, although the spec seems to indicate that the client authentication is not always required (that's not very clear to me).

    That means that when calling the token endpoint using the password grant type, you need to pass in the client ID and secret (using basic auth), which also mean that you can't use the password grant if the client does not have a secret (you might still be able to use the implicit flow).

    In sparklr2, my-trusted-client does not have a secret defined which is why your call fails.

    If you want to see the password grant type in action you can try my-trusted-client-with-secret:

    curl -u my-trusted-client-with-secret:somesecret "http://localhost:8080/sparklr2/oauth/token?grant_type=password&username=marissa&password=koala"
    

提交回复
热议问题