Reputation: 14385
/oauth/** securized or not?
Does the endpoints /oauth/token and /oauth/authorize should be accessible to anyone ?
Currently I need a user to proceed the authentication, I guess this is the login for my application and it should not take care of who's calling it am I right ?
Upvotes: 0
Views: 45
Answers (1)
Reputation: 54038
These endpoints actually authenticate users and clients in itself. It depends a bit on your use case but in general therefore they should be accessible to anyone from anywhere.
If you want to be able to authenticate users from anywhere and you allow Clients on the world-wide internet (instead of on e.g. your corporate network) then access to these endpoints should not be restricted.
If you want to restrict yourself to a corporate network only (i.e. users only can authenticate from within the corporate network, and Clients can only request tokens if they are connected to the corporate network) then you can firewall those endpoints accordingly.
Upvotes: 2
Related Questions
- Spring Boot 2.0.0 + OAuth2
- Spring Security - Oauth implementations
- SpringBoot 1.5.x + Security + OAuth2
- Spring Security and Oauth2 misunderstanding
- Correctly configure spring security oauth2
- Oauth2 Spring implementation
- Authentication with Spring oAuth2.0
- Spring boot, security starter and OAuth2 client
- Spring Security OAuth2 pure resource server
- Spring security oauth2 client