0

I'm securing my REST API using Spring OAuth 2. In there, I have number of clients and under each client there's users. Eg; Client A has users A1 and A2 and client B has users B1 and B2. But I can't find a way to define the relation between clients and users. ( A1 belongs to A not to B etc .. ). I'm using in memory user details service as bellow,

    public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
    .withUser("bill").password("abc123").roles("ADMIN").and()
    .withUser("bob").password("abc123").roles("USER");
}

and a custom client details service. Is there a way to define which users are belongs to which client ?

Dilan Tharaka
  • 517
  • 5
  • 15
  • afaik Spring Security knows nothing about OAuth 1/2 stuff. OAuth security module extends/overrides classes in Spring Security module - that's how it works. So, as a result of that, Spring Security doesn't know about clients/users as it defines OAuth standard. That's why you cannot define such a relation using Spring Security config. Investige into Spring Security OAuth config. – Roman Proshin Dec 21 '17 at 07:57
  • I went through OAuth config articles. But it seems like there's no default implementation for this. As far as I understood, I have to write a custom configuration to AuthorizationServerEndpointConfigurer. Is that what I have to do ? – Dilan Tharaka Dec 21 '17 at 10:35
  • Why do you want to do that? You don't need it for OAuth2. – dur Dec 22 '17 at 11:45

0 Answers0