Spring security Oauth2 Resource Owner Password Credentials Grant

前端 未结 2 710
Happy的楠姐
Happy的楠姐 2021-02-06 15:50

Have just installed spring security oauth2 in my eclipse IDE. The service am trying to implement will be consumed by second party users through their installed applications henc

2条回答
  •  心在旅途
    2021-02-06 15:52

    Although the question is a bit old, I would like to contribute with my findings around this.

    It is true that for Spring OAuth you need to specify a client ID in order to access to the token endpoint, but it is not necessary to specify client Secret for password grant type.

    Next lines are an example of an Authorization Server client for password grant type without any client Secret. Yout just need to add them in your class that extends AuthorizationServerConfigurerAdapter:

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {    
            clients.inMemory()
                .withClient("clientId")
                .authorizedGrantTypes("password")
                .authorities("ROLE_CLIENT")
                .scopes("read");
        }
     }
    

    Furthermore, it is indeed possible to avoid the HTTP Basic Authentication in the token endpoint and add our client_id as another request parameter in our POST call.

    To achieve this, you just need to add these lines in the same class as before:

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.allowFormAuthenticationForClients();
    }
    

    Now we can call the token endpoint by this way, which seems more correct following the examples found in Stormpath webpage

    POST http://localhost:8080/sparklr2/oauth/token?grant_type=password&client_id=clientId&scope=read&username=marissa&password=koala
    

提交回复
热议问题