Reputation: 187
OAuth2 Password Grant Type with Client_Id & Client_Secret
I am developing an app to access its own resources via Rest endpoints.
Users are required to acquire access token via email/password. After completed Authentication server configuration, I had this observation:
With:
curl client:secret@localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password
I am getting the correct response:
{"access_token":"7541a4f6-e841-41a0-8a54-abf8e0666ed1","token_type":"bearer","refresh_token":"d3fdd7e3-53eb-4e7b-aa45-b524a9e7b316","expires_in":43199,"scope":"openid"}
However With:
curl http://localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password -d client_id=client -d client_secret=secret
I am getting the following error:
DEBUG 4123 --- [nio-9999-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
It looks like the client_id & client_secret are not being recognized when send as parameters. Is this a configuration issue or to do with the version of OAuth2 I am using (spring-security-oauth2, 2.0.5.RELEASE)
A lot of example I come across on the Internet suggest approach one should work with OAuth2.
Thanks :)
Upvotes: 7
Views: 12591
Answers (2)
Reputation: 2155
Yes, lots of examples show the client credentials being passed as form parameters, but it turns out that approach is not recommended, while passing the credentials using "Basic" authentication via the HTTP Authorization header is standard.
Section 2.3.1 of RFC 6749 says
The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.
And further says
Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters:
- client_id ...
- client_secret ...
Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).
In my experience, however, there are some servers that, in violation of the RFC, will not accept HTTP Basic authentication and will only accept form parameters in the body.
Upvotes: 1
Reputation: 54078
There's no method of authenticating the Client against the Authorization Server that is mandatory to implement by spec. Two methods that have been specified that MAY be supported are the HTTP Basic Authentication pattern and the HTTP POST parameter pattern that you've used in your examples. Apparently Spring supports only the first, which seems to be supported by the docs at: http://projects.spring.io/spring-security-oauth/docs/oauth2.html
Upvotes: 4
Related Questions
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- Why do I need a client id for OAuth2 password grant flow?
- OAuth 2: authorization_code Grant - Is client_secret param neccesary?
- OAuth2 Sending Client secret in authorization step
- Combine oAuth 2.0 Client Credentials and Resource Owner Password Credentials Grant Types for API?
- oauth2.0 - token access request with password grant type with ios/swift 2 client
- OAuth2 Clients and Grants
- OAuth 2 client access and grant code
- OAuth 2.0 how to encrypt client id and secret
- OAuth2 pass authorization to another client