0

I want to customise OAuth Endpoint URI's. I want to sent parameters in post body instead of query params.

now my request is like - 

example.com/oauth/token?grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}

But I want it like this.

example.com/oauth/token

Request body - 

{
    grant_type=password,
    client_id={CLIENT_ID},
    client_secret={CLIENT_SECRET},
    username={USERNAME},
    password={PASSWORD}
}

How should I do it?

Parag Pakhale
  • 11
  • 2
  • 5
  • The whole point of OAuth is that the verbs and URL patterns are standardised... What is your usecase for using a POST instead of a GET? – Frederik Heremans Feb 13 '17 at 14:21
  • just for making it more secure. I don't want to expose my parameter values in url. – Parag Pakhale Feb 14 '17 at 06:29
  • You should always use HTTPS. **If not, both GET and POST parameters are sent in plain text** over the wire and neither are secure. I suggest using HTTPS and sticking with the standards. – Frederik Heremans Feb 14 '17 at 06:35
  • I know that. My concern is not about Request type. I don't want to expose my username, password and other parameters in URL. Hence I want OAuth to accept it as application/json body. – Parag Pakhale Feb 14 '17 at 06:39
  • OAuth doesn't work for `application/json`...http://stackoverflow.com/questions/39366281/spring-oauth2-0-missing-grant-type/39369071#39369071 – Prasanna Kumar H A Feb 14 '17 at 06:42
  • 1
    Possible duplicate of [Spring Oauth2.0 Missing grant type](http://stackoverflow.com/questions/39366281/spring-oauth2-0-missing-grant-type) – Prasanna Kumar H A Feb 14 '17 at 06:43

2 Answers2

2

The token endpoint of a properly-implemented authorization server does NOT accept GET requests because RFC 6749, "3.2. Token Endpoint" says as follows:

The client MUST use the HTTP "POST" method when making access token requests.

So, your authorization server's token endpoint should reject GET requests.

RFC 6749, "4.3. Resource Owner Password Credentials Grant" says that request parameters of a token request using Resource Owner Password Credentials flow should be embedded in the request body in the format of "application/x-www-form-urlencoded". The following is an excerpt from "4.3.2. Access Token Request".

 POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded

 grant_type=password&username=johndoe&password=A3ddj3w

Therefore, you don't have to customize your authorization server. If the server is implemented correctly, its token endpoint accepts POST requests.

Community
  • 1
  • 1
Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
2

The token endpoint created by spring-oauth2 already deals with POST as well. It would be hard to customize it to accept a JSON request body, because the TokenEndpoint class expects all the params as @RequestParam params.

However, if your concern is about security (as HTTPs does not secure query parameters) you indeed can send the request parameters through post. It is just a matter of sending the request in the form "form-data" or "x-www-form-urlencoded". These are 2 ways of sending arbitrary key-value parameters in the request body, in a way that appears to the server as they are regular request parameters. So it is a matter of making your client using this.

Also, note that in spring-oauth2 it is possible to disable the GET endpoint, this way forcing your clients to use POST with one of the ways above.

jgslima
  • 83
  • 6