Reputation: 1686
I have two questions regarding spring-cloud-security with OAuth2:
How do I protected resources by a grant_type? I want to secure my REST API with client_credentials and then want to protected user specific resources by the password grant type. Is this even possible?
Accoording to this tutorial, the password grant type does not need a client secret, though spring cloud oauth2 always seems to require the client secret. How do I handle this? By setting a nonsense client secret like "abc" and just not care about it?
If I have a client app with @EnableOAuth2Sso I only get a redirect to the authorization Uri although I dont provide grant type "authorization code". Wouldn't it make more sense if I was redirected to the token Uri if I only provide the password grant type?
Thanks
Upvotes: 0
Views: 2324
Reputation: 58094
How do I protected resources by a grant_type? I want to secure my REST API with client_credentials
Use an OAuth2 access rule and specify that you want client only. E.g. use the #oauth2
expression variable and #oauth2.isClient()
(source code here).
the password grant type does not need a client secret
Wrong. You need to authenticate the client. If it doesn't have a password it's not very secure, but you can do that (use an empty password) if you want to.
If I have a client app with @EnableOAuth2Sso I only get a redirect to the authorization Uri although I dont provide grant type "authorization code". Wouldn't it make more sense if I was redirected to the token Uri if I only provide the password grant type?
No, the token endpoint is a back channel and it doesn't work like that (even supposing you allowed tokens to be granted from a GET, what would the user do with the response?). There is no protocol for external web applications to use a password grant (it's primarily for native apps). In a web application you should use the auth code.
Upvotes: 3