What does resourceId mean in OAuth 2.0 with Spring Security

Question

OAuth2ProtectedResourceFilter in org.springframework.security.oauth2.provider.filter:

Collection<String> resourceIds = auth.getClientAuthentication().getResourceIds();
if (resourceIds!=null && !resourceIds.isEmpty() && !resourceIds.contains(resourceId)) {
    throw new InvalidTokenException("Invalid token does not contain resource id ("+resourceId+"): " + token);                   
}

I think it is not useful. What does this code check for?

score 6 · Answer 1 · answered Mar 28 '13 at 14:45

Based on what I've gathered, it is the id of the resource service.

It becomes more clear when you consider separating your oauth token provider servlet and your resource servers for the purpose of api versioning. For example, say Client A (cA) has access to api1 and Client B (cB) has access to api2, you enforce this access by dictating in your resource server xml for api1 that its resource-id=api1 and then configure your client details for cA that they have resourceIds="api1", and likewise for [cB,api2].

This lets us protect api access and keep its protection declaration separate from, say, our client roles declaration.

@yankee if I'm not wrong, scope refers to the type of access to a given resource. examples are read, write — asgs, May 04 '19 at 15:57

score 0 · Answer 2 · answered Apr 17 '12 at 20:21

0

It looks like it checks whether a client is authorized to view a particular resource. Not sure how the token variable is involved, it looks like there is some more relevant code that you have not shown.

answered Apr 17 '12 at 20:21

aj.esler

921
1
8
18

What does resourceId mean in OAuth 2.0 with Spring Security

2 Answers2

Linked