5

I am building a REST API using Grails. I want it to be protected using OAuth2.0 client_credentials flow(grant_type). My use-case is as follows:

a external agent will send a request to something like

http://server-url/oauth/token?client_id=clientId&client_secret=clientSecret&grant_type=client_credentials

and obtain a access_token. Then, my URL(protected resource) should be accesible with something like

http://server-url/resource?access_token={access-token obtained before}

I am looking for something that makes doing this on Grails easy and quick. What will be the best way/tool/plugin to use for this ? Scribe library is an option, if there are any tutorials for my specific use-case, it will be great.

P.S.: I have tried the spring-security and related plugins, no joy there. Any alternatives would be nice.

Pablo Fernandez
  • 103,170
  • 56
  • 192
  • 232
SoftDev
  • 63
  • 1
  • 4

3 Answers3

2

I have the same issue. I found a lot of grails plugins that helped you authenticate your app against other oauth providers, but nothing that would help me make my app the oauth provider. After a lot of digging, I came across this grails plugin that will do exactly what you want.

https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider

I'm still configuring it for my application, and I think the docs might need a few edits (specifically the authorization_code flow) but I got the simple client_credentials flow to work with minimal configuration. Hope that helps!

jss12001
  • 21
  • 1
  • That plugin is really lacking in terms of documentation and is kind of abandoned. I ended using Spring Roo instead of Grails because of this. There's a very nice plugin for Roo, and since Roo is just a repackage of vanilla Spring MVC you get much more official documentation. Either way if Grails is not a requirement other SpringSource family products (such as Spring MVC or Roo) might do a better job for OAuth implementations. This is just a tip for anyone interested. It's not supposed to be an answer and as such I left it here in the comments. – petersaints Nov 08 '12 at 18:16
-1

Based on my experiences, Scribe was built for OAuth 1.0 and has only very limited support for OAuth 2.0. In fact, for testing our own OAuth 2 implementation, all we could use from it was an HTTP request wrapper, we had to do anything else manually. Fortunately, doing it manually is suprisingly easy.

Since I still haven't found a fine open OAuth 2.0 library for Java (frankly I'm not familiar with Groovy), I encourage you to write the client code for yourself. You don't even need a client callback endpoint to use the client credentials grant flow. So you simply create an HTTP request (as you've written above already, take care to escape the GET parameters though) and get the response content. Your flow does not use redirects, so simply parse the JSON object in the response content, e.g. with the org.json library. Finally, send an HTTP request using the extracted access token.

Note that your examples are not completely standard compliant. The standard requires using HTTPS, sending the token in an HTTP header instead of a GET parameter and suggests using a HTTP basic authorization header instead of GET parameters to specify client credentials.

I may have misunderstood your question, and you may want to implement the server side, too. The scribe library supports only client side, so you can find a commercial implementation or implement your own server. It is a complex task, but if you support only the client credentials flow, it almost becomes easy. ;-)

Zólyomi István
  • 2,401
  • 17
  • 28
  • Thanks for your inputs. But, I am interested in the server side implementation. I was little hesitant to implement it from scratch as I am not a OAuth security expert and don't want to leave any security flaws :P. To be precise, I was looking for something that could help me store/manage the generated access tokens [invalidate them automatically after the expiry time ] etc. Of course, one can do it from scratch but it may leave some gaps. Does anything like this exist for Java, which provides an easy interface to generate, store tokens etc. on the server side ? – SoftDev Jun 27 '12 at 18:53
  • I know no such library, but token storage is the easiest part to implement as a plugin with a clear interface (a store, load and revoke operation is all you need). You should be concerned more about security details implementing the client credentials grant flow and storing predefined rights for client credentials. – Zólyomi István Jun 28 '12 at 06:50
-1

This isn't a plugin, it's just a sample Grails application that acts as an OAuth provider. It was really easy to get up and running with Grails 3.

https://github.com/bobbywarner/grails3-oauth2-api

sethernet
  • 1
  • 1