Spring security Oauth2 Resource Owner Password Credentials Grant

Question

Have just installed spring security oauth2 in my eclipse IDE. The service am trying to implement will be consumed by second party users through their installed applications hence i chose to use password grant type. As per my understanding of Oauth2 the following request should work for the demo sparklr2 service without the need of me encording the username and password parameters. i.e

POST http://localhost:8080/sparklr2/oauth/token?grant_type=password&client_id=my-trusted-client&scope=trust&username=marissa&password=koala

but i keep getting

<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>

am i missing something in this request or do i need to enable something in the repo

Answer 1

It seems like Spring OAuth2 doesn't support the password grant type for a secret-less OAuth2 client. This might be as per the OAuth2 spec: https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2, although the spec seems to indicate that the client authentication is not always required (that's not very clear to me).

That means that when calling the token endpoint using the password grant type, you need to pass in the client ID and secret (using basic auth), which also mean that you can't use the password grant if the client does not have a secret (you might still be able to use the implicit flow).

In sparklr2, my-trusted-client does not have a secret defined which is why your call fails.

If you want to see the password grant type in action you can try my-trusted-client-with-secret:

curl -u my-trusted-client-with-secret:somesecret "http://localhost:8080/sparklr2/oauth/token?grant_type=password&username=marissa&password=koala"

Answer 2

Although the question is a bit old, I would like to contribute with my findings around this.

It is true that for Spring OAuth you need to specify a client ID in order to access to the token endpoint, but it is not necessary to specify client Secret for password grant type.

Next lines are an example of an Authorization Server client for password grant type without any client Secret. Yout just need to add them in your class that extends AuthorizationServerConfigurerAdapter:

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {    
        clients.inMemory()
            .withClient("clientId")
            .authorizedGrantTypes("password")
            .authorities("ROLE_CLIENT")
            .scopes("read");
    }
 }

Furthermore, it is indeed possible to avoid the HTTP Basic Authentication in the token endpoint and add our client_id as another request parameter in our POST call.

To achieve this, you just need to add these lines in the same class as before:

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.allowFormAuthenticationForClients();
}

Now we can call the token endpoint by this way, which seems more correct following the examples found in Stormpath webpage

POST http://localhost:8080/sparklr2/oauth/token?grant_type=password&client_id=clientId&scope=read&username=marissa&password=koala