2

I have Spring Boot OAuth2 server working, but now we need to distinguish between different clients from different departments and provide different functionality depending on the department. I figure I can separate it by the client id. This guide shows how to set up the OAuth2 server with a single client id, but how do I set it up with multiple client ids?

https://spring.io/guides/tutorials/spring-boot-oauth2/#_social_login_authserver

And then, when an API request is made, how do I find out which client id it is?

Chloe
  • 25,162
  • 40
  • 190
  • 357

2 Answers2

1

You can create multiple entries in table oauth_client_details with different combination of client_id and client_secret. The client_secret obviously will be encrypted.

Now to generate the refresh and access token, hit the url /oauth/token with Authorization : Basic base64-encoded,

Where base64-encoded will be Base64 encryption of client_id:client_secret. Remember, client_secret here should be original plain password (without encryption).

The same thing can be achieved using Spring xml configuration (in older way) as

<oauth:client client-id="mobile_ios"
        authorized-grant-types="password,refresh_token,implicit" secret="ios_s3cret"
        authorities="ROLE_CLIENT" 
        refresh-token-validity="7776000"
        access-token-validity="300" />

    <oauth:client client-id="mobile_android"
        authorized-grant-types="password,refresh_token,implicit" secret="android_s3cret"
        authorities="ROLE_CLIENT"
        refresh-token-validity="7776000"
        access-token-validity="300" />

    <oauth:client client-id="web_app"
        authorized-grant-types="password,refresh_token,implicit" secret="web_s3cret"
        authorities="ROLE_CLIENT" 
        refresh-token-validity="7776000"
        access-token-validity="30000" />
</oauth:client-details-service>
Dharmender Rawat
  • 645
  • 8
  • 5
-3

What you need is dynamic client registration as shown here:

https://www.baeldung.com/spring-security-oauth-dynamic-client-registration

senjin.hajrulahovic
  • 2,961
  • 2
  • 17
  • 32
  • I set up 2 static clients. Can I do that? `clients.jdbc(dataSource).withClient(applicationName)....and().withClient(applicationName+"-sales")` – Chloe Oct 02 '18 at 19:25
  • No, I am unable to do that. It requires `oauth_client_details` table and will attempt to insert two rows into the database, and the next time it runs, it will attempt to re-insert them, causing a duplicate key violation. Who knew it would insert client ids into the DB? I thought it would just store them (client id/secret) in memory, but store the tokens in the DB. And I inject `java.security.Principal` into the request signature and I then have the client id of the request. – Chloe Oct 04 '18 at 02:00
  • 2
    I can't understand why this is the accepted answer. – dryleaf Dec 03 '19 at 06:15