spring-oauth2

How do I add the custom UserDetailsService below to this Spring OAuth2 sample ? The default user with default password is defined in the application.properties file of the authserver app. However, I would like to add the following custom UserDetailsService to the demo package of the authserver app for testing purposes: package demo; import java.util.List; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core

I am doing an in-depth study of Spring OAuth, and I found some conflicting information. Can someone please clarify? Specifically, this tutorial states that the /oauth/token endpoint handles the username and password before granting a refresh token to the client app. By contrast, the Spring OAuth Developer Guide mentions the /oauth/authorize and /oauth/token endpoints, but yet does not get specific about how they work. Does the /oauth/authorize do 100% of the username/password/nOtherFactors check and then signal the /oauth/token endpoint to send a refresh token to the client, so that the client

I would like to know if someone has an example to see how to implement "Token Exchange" technique with Spring Cloud Security (with OAuth2). Currently I have implemented "Token Relay" technique in a Microservices Environment using ZuulProxy to "relay" the OAuth2 token and implementing SSO. This is great but implies that every microservice uses the same clientId (which is specified in ZuulProxy setup as ZuulProxy relays the token only with authorization_code grant type and the clientId provided). However, for intra-microservices calls I would like to "exchange" the token. This means in some

I have created the Spring Authorization Server which issues JWT-s and a Resource Server which checks the JWT, its claims and permissions on the Authorization Server. To do so, I have followed this article . My question is why I need to send the Authorization header with HTTP Basic authorization and Base64 encoded username/password (ClientId:ClientSecret) in get token request? I have seen JWT implementations where only username and password are required. dur It is part of the specification, see RFC 6749 : 2.3 Client Authentication If the client type is confidential, the client and authorization

There is a guide how to implement OAuth2 using Spring and Spring Boot https://spring.io/guides/tutorials/spring-boot-oauth2/ I need to store OAuth2 information like accessToken, refreshToken in my database for future use. Right now I can only get accessToken. I can't figure out how to get refreshToken based on this guide. What is the proper way to get refreshToken using approach described in this guide ? UPDATED I have an access to refreshToken in OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication method but only accessToken is paased to ResourceServerTokenServices

I am studying Spring Cloud and Spring OAuth2 by decomposing the three interconnected apps in this GitHub sample . When I open up the /oauth/revoke-token endpoint in the authserver app and then call it from the ui app with a http://localhost:9999/uaa/logout , the debug log for the authserver app gives the following error message while rejecting the logout request: Request 'OPTIONS /logout' doesn't match 'POST /logout What specific changes need to be made to the code in the sample GitHub apps in order to enable the global logout to succeed when the ui app calls the logout function from hello.js