Spring OAuth2 disable HTTP Basic Auth for TokenEndpoint

我的梦境 提交于 2019-11-29 10:24:18

问题


I am starting with Spring OAuth2. So far so good, I have secured my app with the configuration. But I have an issue, my client does not support HTTP Basic Authorization.

Is there a way how to disable HTTP Basic Auth for the /oauth/token endpoint? I would like to send the client_id and client_secret in the JSON body or in the request headers.

curl examples I would like to work:

curl -X POST -H "Content-Type: application/json" -d '{
"username": "user",
"password": "pass",
"grant_type": "password",
"client_id": "test-client-id",
"client_secret": "test-client-secret"
}' "http://localhost:9999/api/oauth/token"

OR

curl -X POST -H "Content-Type: application/json" -H "X-Client-ID: test-client-id" -H "X-Client-Secret: test-client-secret" -d '{
"username": "user",
"password": "pass",
"grant_type": "password"
}' "http://localhost:9999/api/oauth/token"

回答1:


I finally figure it out. The way how to disable the HTTP Basich Auth is to enable a form authentication for clients. Just add those lines to your configuration.

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
  @Override
  public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.allowFormAuthenticationForClients();
  }
}

Now you will be able to send successful request to TokenEndpoint like this:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user_username&password=user_password&grant_type=password&client_id=your_trusted_client_id&client_secret=your_trusted_client_secret' "http://localhost:8080/oauth/token"

But there is still remaining the ContentType application/json issue remaining. Anyone have a solution for this?



来源:https://stackoverflow.com/questions/38166613/spring-oauth2-disable-http-basic-auth-for-tokenendpoint

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!