2

I use the standard configuration of Spring-Security, this is my pom.xml:

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.8.RELEASE</version>
        <relativePath></relativePath>
    </parent>

<dependencies>
        <!-- Spring -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
        </dependency>
</dependencies>

I must change the standard token request:

Original token request:

@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException

Desiderate token request

@RequestMapping(value = "/oauth/login", method=RequestMethod.POST)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestBody UserLogin userLogin) throws HttpRequestMethodNotSupportedException

Is it possibile?

I extend TokenEndpoint like this but doesn't work:

public class CustomTokenEndpoint extends TokenEndpoint {

@RequestMapping(value = "/oauth/login", method=RequestMethod.POST)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestBody UserLogin userLogin) throws HttpRequestMethodNotSupportedException {
        return postAccessToken(principal, userLogin.getParameters());
    }
}
MrPallaBall
  • 31
  • 2
  • 7

1 Answers1

2

It will not work like this because your custom endpoint class will not be loaded in Spring filter chain. No need to extend TokenEndpoint. You can create a new endpoint and make it does things that an original endpoint /oauth/token do.

Following code should give you a head start. Refer to this code to get an idea what your new endpoint needs to do. This is similar as TokenEndpoint#postAccessToken(...).

@RequestMapping(value = "/oauth/login", method = RequestMethod.POST)
    public ResponseEntity<OAuth2AccessToken> postAccessToken(final Principal principal, @RequestBody final UserLogin userLogin) throws HttpRequestMethodNotSupportedException {
        if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException("Client authentication information is missing.");
        }

        final Authentication client = (Authentication) principal;
        if (!client.isAuthenticated()) {
            throw new InsufficientAuthenticationException("The client is not authenticated.");
        }
        String clientId = client.getName();
        if (client instanceof OAuth2Authentication) {
            // Might be a client and user combined authentication
            clientId = ((OAuth2Authentication) client).getOAuth2Request().getClientId();
        }

        final ClientDetails authenticatedClient = clientDetailsService.loadClientByClientId(clientId);
        final TokenRequest tokenRequest = oAuth2RequestFactory.createTokenRequest(parameters, authenticatedClient);

        final Map<String, String> parameters = new HashMap<>();
        parameters.put("username", userLogin.getUsername());
        parameters.put("password", userLogin.getPassword());
        parameters.put("grant_type", userLogin.getGrantType());
        parameters.put("refresh_token", userLogin.getRefreshToken());
        parameters.put("scope", userLogin.getScope());

        if (StringUtils.isNotBlank(clientId)) {
            // Only validate the client details if a client authenticated during this request.
            if (!clientId.equals(tokenRequest.getClientId())) {
                // Double check to make sure that the client ID in the token request is the same as that in the authenticated client
                throw new InvalidClientException(String.format("Given client ID [%s] does not match the authenticated client", clientId));
            }
        }

        if (authenticatedClient != null) {
            oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
        }
        if (!hasText(tokenRequest.getGrantType())) {
            throw new InvalidRequestException("Missing grant type");
        }

        final OAuth2AccessToken token;

        if (isRefreshTokenRequest(parameters)) {
            // A refresh token has its own default scopes, so we should ignore any added by the factory here.
            tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
            token = refreshTokenGranter.grant(tokenRequest.getGrantType().toLowerCase(), tokenRequest);
        } else {
            token = tokenGranter.grant(tokenRequest.getGrantType().toLowerCase(), tokenRequest);
        }

        if (Objects.isNull(token)) {
            throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
        }

        return new ResponseEntity<>(token, HttpStatus.OK);
    }
Vijay Nandwana
  • 2,476
  • 4
  • 25
  • 42
  • There are ways to rename default oauth tokens as well. Please check out https://stackoverflow.com/questions/22222966/how-to-change-spring-security-oauth2-default-token-endpoint – Vijay Nandwana Jun 14 '18 at 03:51