How to bypass access confirmation step in Spring security OAuth2 if user has previously authorized access?

Question

I am currently trying to bypass the approval/denial step of the access authorization process in Spring Security OAuth2 since a previously authorized access (for a specific client_id and user_id) should be memoized and allow the OAuth-app to be redirected to the client-app without the user being asked each time for his approval.

    <version.spring-security>3.2.0.RELEASE</version.spring-security>
    <version.spring-security-oauth>1.0.5.RELEASE</version.spring-security-oauth>

So I have an AccessConfirmationController which has the mapping for the /oauth/confirm_access endpoint :

    @RequestMapping("/oauth/confirm_access")
    public ModelAndView getAccessConfirmation(@ModelAttribute final AuthorizationRequest clientAuth)
    {
        final ClientDetails client = this.clientDetailsService.loadClientByClientId(clientAuth.getClientId());
        final TreeMap<String, Object> model = Maps.newTreeMap();
        model.put("auth_request", clientAuth);
        model.put("client", client);
        return new ModelAndView("access_confirmation", model);
    }

very classic way of handling access confirmation.

Now I know that I have to check (somewhere in this method) whether the currently authenticated user (Principal) has previously approved the access and if so, we should just retrieve the user associated token and maybe just send him the token via the redirect_uri.

There is an internal endpoint in Spring Security which allows token retrieval :

    @FrameworkEndpoint
    @RequestMapping(value = "/oauth/token")
    public class TokenEndpoint extends AbstractEndpoint {

        @RequestMapping
        public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
                @RequestParam(value = "grant_type", required = false) String grantType,
                @RequestParam Map<String, String> parameters) {
       // the logic here
        }
    }

How can I call this framework endpoint from within my controller ? and is it even the best way (~best practice?) to do it ?

thanks in advance,

Answer 1

You just need set autoAprove=true in your config

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("my-client")
                        .secret("secret")
                        .authorizedGrantTypes("authorization_code")
                        .autoApprove(true)
                .scopes("scope");
    }
}

Answer 2

maybe just send him the token via the redirect_uri.

You can't do that with the standard grant types, but I'm not sure you need to. All you need is to check if the user already approved the grant and send the client what it asked for (i.e. an authorization code). Then the normal grant proceeds but without the approval step.

In version 2.0 of Spring OAuth there is an ApprovalStore that you can explicitly use for this kind of behaviour, and a couple of implementations that should make it easy to get it working out of the box. In older versions (which you seem to be using even though it is very old now) you would have to add some customizations via a UserApprovalHandler and possibly also an AuthorizationRequestManager.