Reputation: 13
Fetching user name & password to Verify in Grant type "password" using Spring security OAUTH2
I want to extract the username and password from the request so that I can cross verify with a database.
What I am Trying to achieve Extract info username=Test&password=Test@123 from the HTTP request and test it from DB rather than from the hard coded value in application.properties.
Currently I am able to achieve that for --user testClient:123456. please suggest a way to achieve for name and password as well.
Http Call :
curl -X POST --user testClient:123456 http://localhost:8090/oauth/token -H "accept: application/json" -H "content-type: application/x-www-form-urlencoded" -d "grant_type=password&username=Test&password=Test@123&scope=read_profile"
application.properties :
**security.user.name=Test
security.user.password=Test@123**
spring.datasource.url=jdbc:mysql://localhost/oauth
spring.datasource.username=root
spring.datasource.password=password
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
spring.jpa.properties.hibernate.hbm2ddl.auto=validate
Auth Server Class
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.approval.ApprovalStore;
import org.springframework.security.oauth2.provider.approval.JdbcApprovalStore;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
import javax.sql.DataSource;
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends
AuthorizationServerConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(OAuth2AuthorizationServer.class);
@Autowired
AuthenticationManager authenticationManager;
@Autowired
private DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.approvalStore(approvalStore())
.tokenStore(tokenStore())
// important to add if want to add support the password
.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(4);
}
}
Upvotes: 0
Views: 1052
Answers (1)
Reputation: 2634
You are using Spring's implemented endpoint /oauth/token to get a token. This endpoint is present in TokenEndpoint class.
@RequestMapping(
value = {"/oauth/token"},
method = {RequestMethod.POST}
)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException("There is no client authentication. Try adding an appropriate authentication filter.");
} else {
This endpoint takes principal object and a map. Client credentials that you pass as Basic Auth, goes as Principal and other parameters like grant_type, username, password, scope etc. goes as map in request parameter.
OAuth2RequestFactory takes these parameters and authenticated client information to create a token request. And, then TokenGranter takes this token request to grant a token.
These things happen behind the scene, so you dont have do explicitly extract user information for the request.
Upvotes: 1
Related Questions
- Spring boot Oauth2 grant_type password always return invalid_grant Bad Credentials
- How to verify password with Spring
- Spring Boot OAuth2: How to retrieve user token info details
- oAuth2 client with password grant in Spring Security
- How to get Spring Boot and OAuth2 example to use password grant credentials other than the default
- Spring Boot Security how to check/verify access token
- How to get an Authenticated User's Details in Spring Security OAuth2
- Spring security oauth2 : grant_type=password Authentication
- Spring Cloud OAuth2: Password grant type & resource security
- How to get authenticated user in spring-security-oauth