0

I have a Spring boot app that is using Spring Security and OAuth2

In my OAuth2Config class which extends AuthorizationServerConfigurerAdapter I have

@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
            .withClient("name")
            .secret(passwordEncoder.encode("password"))
            .scopes("read", "write")
            .authorizedGrantTypes("password", "refresh_token", "client_credentials")
            .accessTokenValiditySeconds(20000)
            .refreshTokenValiditySeconds(20000);

}

and in my SecurityConfig class which extends WebSecurityConfigurerAdapter I have

@Override
@Autowired
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService)
            .passwordEncoder(encoder());
}

This means that I need to do Basic Auth with "name" and "password", as well as submit form data with "someUserInUserDatabase" and "someUserInUserDatabasePassword" to the /oauth/token endpoint in order to get a token back.

However, I would like just to submit the "someUserInUserDatabase" and "someUserInUserDatabasePassword", since I don't see a benefit of submitting the "name" and "password" in the login form my app uses, since everyone will need to know "name" and "password", which is universal to all users so it doesn't have any benefit.

Is this possible?

katiex7
  • 863
  • 12
  • 23
  • IMO the OAuth 2.0 spec enforces the client workflow (https://tools.ietf.org/html/rfc6749). You could put the client credentials in the request header, though that will be violating the protocol – Tuhin Kanti Sharma Oct 05 '18 at 16:59
  • See https://stackoverflow.com/a/47951986/5277820 and https://stackoverflow.com/a/43391526/5277820 – dur Oct 06 '18 at 09:39

0 Answers0