Menu
I am developing an app to access its own resources via Rest endpoints.
Users are required to acquire access token via email/password. After completed Authentication server configuration, I had this observation:
With:
curl client:secret@localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password
I am getting the correct response:
{"access_token":"7541a4f6-e841-41a0-8a54-abf8e0666ed1","token_type":"bearer","refresh_token":"d3fdd7e3-53eb-4e7b-aa45-b524a9e7b316","expires_in":43199,"scope":"openid"}
However With:
curl http://localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password -d client_id=client -d client_secret=secret
I am getting the following error:
DEBUG 4123 --- [nio-9999-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
It looks like the client_id & client_secret are not being recognized when send as parameters. Is this a configuration issue or to do with the version of OAuth2 I am using (spring-security-oauth2, 2.0.5.RELEASE)
A lot of example I come across on the Internet suggest approach one should work with OAuth2.
Thanks :)
544
OAuth 2.0 Password Grant. The Password grant type is used by first-party clients to exchange a user's credentials for an access token. Since this involves the client asking the user for their password, it should not be used by third party clients. In this flow, the user's username and password are exchanged directly for an access token.
You can use the OAuth 2.0 client credentials grant specified in RFC 6749, sometimes called two-legged OAuth, to access web-hosted resources by using the identity of an application. This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
This flow provides no mechanism for things like multifactor authentication or delegated accounts, so is quite limiting in practice. The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. What is the OAuth 2.0 Password Grant Type? (developer.okta.com)
This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant. A common use for this grant type is to enable password logins for your service’s own apps.
There's no method of authenticating the Client against the Authorization Server that is mandatory to implement by spec. Two methods that have been specified that MAY be supported are the HTTP Basic Authentication pattern and the HTTP POST parameter pattern that you've used in your examples. Apparently Spring supports only the first, which seems to be supported by the docs at: http://projects.spring.io/spring-security-oauth/docs/oauth2.html
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
