Reputation: 33
alternate to pass details as url query string in oAuth 2.0?
to get refresh token i am calling service like this
now service will return refresh token and temporary access token but the problem is 'passing username and especially password over network in url is unsafe' so i want call /oauth/token and i need to pass grant_type,client_id,username,password..details either in request body or request headers.... and and to support this which filter i need to configure in security-servlet.xml
and i also want to pass access_token in reqest header to call rest service not in url like employee/list?accessToken=657gjgf3563285 how can i achive this? and how my security-servlet.xml looks like to support this? and finally how my request to /oauth/token looks like...
Upvotes: 0
Views: 1151
Answers (1)
Reputation: 593
There is support for Bearer tokens within spring oauth (see BearerTokenExtractor).
Also, if passing the username/password in the URL is considered unsafe for you, most likely putting it in the request body or headers will not be any more secure. To be more secure you'd need to encrypt the contents with PKI or use a secure transport method like HTTPS (the OAuth 2 spec says it's basically a requirement to have TLS).
Upvotes: 1
Related Questions
- Spring Security OAuth2 - Add parameter to Authorization URL
- Spring Boot oauth2 dynamically add params to redirect url
- Spring security with oauth2 adding additional parameters to authorization URL?
- spring security 5.1 oauth 2, how to add additional parameters to user authentication uri
- Spring Security pass URL parameters to Authentication Provider
- Spring OAuth2 custom request - put parameters on body like raw data
- how to map properly url param in spring?
- Spring security OAuth2 request as object instead of query parameters
- Spring Security OAuth2 dance and get parameters
- Hide password in Oauth2 token request URL