Hi, I have a question about the integration with spring-security.
Background
I configured an authorization server which support password grants and I can retrieve access tokens and refresh tokens without any issue. Now I need to protect another service and since both are part of the same domain the password grant flow seems to be the most appropriate one.
The problem
The @EnableOAuth2Client annotation says
Apps that us password grants need to set the authentication properties in the OAuth2ProtectedResourceDetails before using the RestOperations, and this means the resource details themselves also have to be per session (assuming there are multiple users in the system).
This makes complete sense but I do not have any clue about how to use it together with WebSecurityConfigurerAdapter. Do I need to write a custom AuthenticationManager that calls oauth2RestTemplate.getAccessToken()?
Could you please shed some light?
Thanks.
I don't really know what your use case is. In your "background" you seem to say you want to implement a new resource server, which ought to be easy (you @EnableResourceServer). In the "problem" it sounds like a client app. Why wouldn't auth code grant be appropriate if it's a client app you want to add? Spring Boot 1.3 has @EnableOAuth2Sso that takes the pain out of it but all it does is configure an OAuth2ClientAuthenticationProcessingFilter which you can do yourself.
Hi Dave,
Thanks for answering. You are correct, I am working on a client app with SSO. Since both my authorization server and my client app are managed by me I do not need the auth code flow with redirections and an approval form. By my basic understanding of the OAuth grants, the password flow should fit in this case as I trust the client app to handle the user credentials.
In this scenario, I could configure a OAuth2ClientAuthenticationProcessingFilter to use the current user credential to instantiate a new OAuth2RestTemplate with ResourceOwnerPasswordResourceDetails, correct?
I am looking forward to Spring Boot 1.3. Does it supports all the current features implemented by spring-security-oauth?
I think you have the wrong idea about password grant, and I believe you should be using auth code flow for SSO: the benefit is that only the auth server has to collect user credentials. You don't have to obtain explicit approval if the apps are all part of the same system (that's why we have the autoApprove feature in Spring OAuth).
Hi Dave, I got the behavior I wanted by combining @EnableOAuth2Sso and the auto approval feature in the auth server. Sorry for not replying earlier. Thank you for the help.
I need the same solution as well. Is that possible any of you show me some sample code?
Thanks
@dsyer https://oauth.net/2/grant-types/password/
@jrglee if, by any chance, you still have the implementation, I would love to see that!)
My 2 cents. Sometimes your grant type is mandated by the vendor you are connecting to.
I have machine to machine trust relationship that works only on password grant type. It does give
me back an access and refresh token which I would like to use with webclient so that it will manage
the token and refresh for me.
It feels like Spring fights me every step of the way because it is not supposed to be a valid use-case.