7

I have a simple project that requires the simple following configuration :

  • I have a "password" grant_type, which means I can submit the username/password (that the user enters in my login form), and get an access_token on success.
  • With that access_token, I can request an API and get the user's information.

I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples) and it seems HUGE.

I can think of it this way :

  • Do a simple HTTP request, giving *client_id* , *client_secret* , *grant_type=password* , username and password (that the user provided).
  • I receive an *ACCESS_TOKEN* (and some other stuff) in a JSON response.
  • I use the *ACCESS_TOKEN* to query a URL (using simple GET request), that will give the user's information.
  • I set the information in HttpSession and consider the user as logged in.

It can be done in 2 HTTP requests. I just don't want to do it this way, but using the "safer" way instead with Spring Security OAuth2.

Can you think of what "simple" config I need to make to have this done?

Shotgun
  • 668
  • 2
  • 10
  • 24

1 Answers1

8

Don't let the sparklr sample confuse you (it does a lot more than you seem to need). Is this simple enough for you? 

@ComponentScan
@EnableAutoConfiguration
public class Application {

public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
}

@Configuration
@Order(Ordered.LOWEST_PRECEDENCE - 100)
protected static class OAuth2Config extends OAuth2AuthorizationServerConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // @formatter:off
        auth.apply(new InMemoryClientDetailsServiceConfigurer())
            .withClient("my-trusted-client")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(60)
        .and()
            .withClient("my-client-with-secret")
                .authorizedGrantTypes("client_credentials")
                .authorities("ROLE_CLIENT")
                .scopes("read")
                .secret("secret");
    // @formatter:on
    }

}

}

That's the auth server. The client is also easy (e.g. the one in the Spring OAuth project). P.S. this is all Spring OAuth 2.0 stuff (not yet released), but we're working on it (and the 1.0 features with XML config really aren't that much heavier).

N.B. This kind of defeats the object of OAuth2 (webapp clients are not supposed to collect user credentials). You should consider using grant_type=authorization_code.

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • Thanks Dave. Actually the OAuth Server is done internally in the company, so I got `grant_type=password` because my application is the only thing using the OAuth Server for now. As for the client application I'm developping, I just need a method where I can say "go to `SERVER/token?client_id=&client_secret=&grant_type=password&username=request.getParameter("username")&password=request.getParameter("password")` get the JSON response.get("access_token"), go to `/user_info?access_token=access_token` and BINGO, you got the user's information, store it kindly in `HttpSession`. I seem lost :( – Shotgun Mar 04 '14 at 20:55
  • I also have no pages to "securize" (using `auth.doThis().doThat()`) in my client application, it uses AngularJS which means it's a restful application, when a user comes to `/doSomething?someParameters`, it will check their session (HttpSession), if they're logged in, OK, otherwise it sends an error in JSON. – Shotgun Mar 04 '14 at 21:04
  • Dave, what do you mean by "this is all Spring OAuth 2.0 stuff"? What happened to old good AuthEndpoint and TokenEndpoint? – OhadR Mar 04 '14 at 21:33
  • 1
    Nothing. Still there, just coming up to a new release. – Dave Syer Mar 05 '14 at 06:46
  • @user2848844 I guess that means you are duplicating the authentication store / http session stuff. But if you are comfortable with doing that yourself you only need an `OAuth2RestTemplate` to grab the access token and then send the request to "/user_info". Since you are using password grant you have to create a new template for each request, but that isn't really a big deal (just a bit different to the tonr sample). – Dave Syer Mar 05 '14 at 06:52
  • 1
    Is there a version/example that works with spring oauth release 2.0.5? – Felby Dec 29 '14 at 19:48
  • @DaveSyer please help me here: https://stackoverflow.com/questions/50595985/how-to-secure-a-mvc-application-with-oauth2-using-spring – Magno C Jun 03 '18 at 02:40