我有一个使用 OAuth 的应用程序。身份验证包含 2 个步骤:获取访问令牌,使用提供的访问令牌发出请求。
是否可以配置 Spring Security 以通过提供的客户端 ID 和客户端密码作为请求参数提供访问,例如https://localhost.com/api/endpoint?client_id=xxxx&client_secret=yyyy?
我有一个使用 OAuth 的应用程序。身份验证包含 2 个步骤:获取访问令牌,使用提供的访问令牌发出请求。
是否可以配置 Spring Security 以通过提供的客户端 ID 和客户端密码作为请求参数提供访问,例如https://localhost.com/api/endpoint?client_id=xxxx&client_secret=yyyy?
The answer is simple as always:
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenGranter(new CompositeTokenGranter(
Arrays.asList(resourceOwnerPasswordTokenGranter(), clientCredentialsTokenGranter())))
.authenticationManager(providerManager())
.clientDetailsService(clientDetailsService())
.tokenServices(defaultTokenServices());
}
private TokenGranter resourceOwnerPasswordTokenGranter() {
return new ResourceOwnerPasswordTokenGranter(
new ProviderManager(Arrays.asList(authenticationProvider())),
defaultTokenServices(),
clientDetailsService(),
defaultOAuth2RequestFactory());
}
private TokenGranter clientCredentialsTokenGranter() {
return new ClientCredentialsTokenGranter(
defaultTokenServices(),
clientDetailsService(),
defaultOAuth2RequestFactory());
}
I added new CompositeTokenGranter with list of 2 granters: ResourceOwnerPassswordTokenGranter (for authentication by clientId+clientPassword+username+password) and ClientCredentialsTokenGranter (for authentication by clientId+clientPassword).
EDIT
Looks like my question was incorrect. Sorry about this. I made that changes for authorization server. So it works for /oauth/token only. How to fix question problem I have no idea for now but I will update this question when found solution.