Reputation: 4029
Spring OAuth2 determine if principal is oauth2_client or basic user
I have an ResourceServer app (@EnableResourceServer) connected to an AuthorizationServer (@EnableAuthorizationServer).
I want to support two grant types:
- Authorization code
- Client credentials
Both are working correctly, but how can I differentiate if Principal is basic user (using authorization code flow) or client (using client credentials)?
If is not directly possible do you think I should create a specific role/authority or scope (which is better?) to determine when Principal is a client?
Upvotes: 2
Views: 805
Answers (1)
Reputation: 743
Once you've authenticated, you should have an instance of org.springframework.security.oauth2.provider.OAuth2Authentication set in the SecurityContext which contains details of both the authenticated user and the client they are using.
This has an isClientOnly() method which will return true if the client credentials grant is used. You can also check this in the @PreAuthorize tags if you've enables the OAuth2 expressions:
@PreAuthorize("#oauth2.isClient")
Upvotes: 1
Related Questions
- What is difference between CrudRepository and JpaRepository interfaces in Spring Data JPA?
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- Spring boot Oauth security - User(custom info) info in the principal in Client Credentials grant type
- Spring Security 5 OAuth2 client password grant type
- Integrate Spring Security OAuth2 and Spring Social
- Oauth2 Client Credentials Flow + Spring Boot2 throwing There is no PasswordEncoder mapped > for the for the id "null" error
- Real Time examples for Oauth2 Grant Types and Good document, example for Oauth2 with Spring MVC
- Spring Security/OAuth: mapping between Principal's authority and role in @RolesAllowed
- Spring security oauth2 - getting custom data from OAuth2 principal