Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding OAuth2 Client credentials flow

I'm trying to understand and implement a client credentials flow between our new REST server and our existing client app. I've setup spring-security OAuth2 like this. From my understanding so far, my server should now support the following request:

$ curl -X -v -d 'client_id=the_client&client_secret=secret&grant_type=client_credentials' -X POST "http://localhost:9090/oauth/token"

but I get

InsufficientAuthenticationException: There is no client authentication

caused by the Principal being null here (spring-security code) :

@FrameworkEndpoint
@RequestMapping(value = "/oauth/token")
public class TokenEndpoint extends AbstractEndpoint {

    @RequestMapping
    public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
            @RequestParam("grant_type") String grantType, @RequestParam Map<String, String> parameters) {

        if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException(

So it seems, I need to authenticate against the server first. But that's not what I want to do. I want two of my servers to talk to each other using a shared secret. The OAuth provider server should provide an access token to the (trusted) client server on request so that the client server can then use that token to access all REST resources on the server. This should protect the REST resources from external access.

Later I want to provide selected resources to a third party and eventually implement some finer grained security for the server-to-server communication as well. But for now I need to protect the REST server from external access.

Looks like I might have some misunderstandings about the whole client credentials flow or the application of spring-security right there so any clarification would be greatly appreciated.

like image 602
Pete Avatar asked Jan 03 '13 13:01

Pete


People also ask

What is OAuth2 client credentials flow?

The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.

How do you send client credentials in the body?

Is there a way to send client credentials in request body for the token call in Next-Auth? You should send the server's clientId and clientSecret to the token endpoint. Not the credentials of the user who sent you the token. By client credentials what it means is client_id and client_secret .

How does client ID and client secret work?

At registration the client application is assigned a client ID and a client secret (password) by the authorization server. The client ID and secret is unique to the client application on that authorization server.


1 Answers

You are not authenticating your client to the Authorization server.

You need to do something like this:

curl --user the_client:secret --data "grant_type=client_credentials" http://localhost:9090/oauth/token

This is authenticating the client to the authorization server and then specifying grant_type and other parameters. This will return an access token of type 'bearer' with scope determined by the oauth client details. Once you have the token, you can access your protected resources by setting the Authorization header:

curl -H "Authorization: Bearer <accessToken>" <resourceUrl>
like image 118
kldavis4 Avatar answered Sep 17 '22 21:09

kldavis4