Oauth2 password grant for Web Client against REST server using spring security

0
votes

We're developing a Javascript Web Client that connects to our own REST server. We want users to login to the web app using accounts on the REST server so that they can then be authorized to perform HTTP actions on resources according to their rights and roles.

The question is: When the user accesses a REST resource using the access token he received through the password grant, will spring security implicitly behave as if the user is logged in with his account for the duration of the request? That is, can I then protect my resources using @PreAuthorize annotations to apply authorization rules for the current principal?

1
javarestspring-securityoauth-2.0

1 Answers

0
votes

So, the answer is yes. In the uersname-password flow / grant the token given to the logging in user will be used to authenticate him against the rest layer. This can then be used to authorize him further inside the application in addition to the security provided by OAuth protecting the resources.

Though it appears that using the password grant, the logged in user will only have the user roles and none of the client roles. The both client and user need to have the role required by OAuth for a resource.