1

我有一个使用 OAuth 的应用程序。身份验证包含 2 个步骤:获取访问令牌,使用提供的访问令牌发出请求。

是否可以配置 Spring Security 以通过提供的客户端 ID 和客户端密码作为请求参数提供访问,例如https://localhost.com/api/endpoint?client_id=xxxx&client_secret=yyyy

4

1 回答 1

0

The answer is simple as always:

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints
            .tokenGranter(new CompositeTokenGranter(
                            Arrays.asList(resourceOwnerPasswordTokenGranter(), clientCredentialsTokenGranter())))
            .authenticationManager(providerManager())
            .clientDetailsService(clientDetailsService())
            .tokenServices(defaultTokenServices());
}

private TokenGranter resourceOwnerPasswordTokenGranter() {
    return new ResourceOwnerPasswordTokenGranter(
            new ProviderManager(Arrays.asList(authenticationProvider())),
            defaultTokenServices(),
            clientDetailsService(),
            defaultOAuth2RequestFactory());
}

private TokenGranter clientCredentialsTokenGranter() {
     return new ClientCredentialsTokenGranter(
             defaultTokenServices(),
             clientDetailsService(),
             defaultOAuth2RequestFactory());
}

I added new CompositeTokenGranter with list of 2 granters: ResourceOwnerPassswordTokenGranter (for authentication by clientId+clientPassword+username+password) and ClientCredentialsTokenGranter (for authentication by clientId+clientPassword).

EDIT

Looks like my question was incorrect. Sorry about this. I made that changes for authorization server. So it works for /oauth/token only. How to fix question problem I have no idea for now but I will update this question when found solution.

于 2014-11-11T21:17:14.703 回答