Securing Spring Rest with Spring Security and OAuth2 - Username/Password are exposed

Question

i am working on a spring rest project and using OAuth 2.0 to protect these API's from unauthorised access.

Frontend: Angular.js Backend: Spring Rest+ Spring Security + Oauth2

Everything was working fine:

1) I got a token from backend using oauth with following uri:

..../oauth/token?grant_type=password&client_id=angularapp&client_secret=angularapp&[email protected]&password=user5@123

2) I got a token from backend and use that token to acess the API's.

Now my problem is that, once i hit backend with /oauth/token?grant_type=password&client_id=angularapp&client_secret=angularapp&[email protected]&password=user5@123

this uri, this is all there at page in angular js files, anyone can access them with view page source.

Please suggest a way to hide these credential at js level, some encryption or any other implement at backend if necessary.

Do i implementing it wrong? please suggest a right path

Thanks

Simon Lippens Simon Lippens · Accepted Answer · 2016-07-18T14:36:12

The answer lies at JWT tokens. Dont use URL encoded. In this situation, your Auth0 server and API server both share a secret encryption key. There are plenty of JWT frameworks you can use to avoid boilerplate coding. for instance: https://github.com/auth0/java-jwt

Securing Spring Rest with Spring Security and OAuth2 - Username/Password are exposed

1 Answers