Spring Cloud OAuth2: Password grant type & resource security

0
votes

I have two questions regarding spring-cloud-security with OAuth2:

  1. How do I protected resources by a grant_type? I want to secure my REST API with client_credentials and then want to protected user specific resources by the password grant type. Is this even possible?

  2. Accoording to this tutorial, the password grant type does not need a client secret, though spring cloud oauth2 always seems to require the client secret. How do I handle this? By setting a nonsense client secret like "abc" and just not care about it?

  3. If I have a client app with @EnableOAuth2Sso I only get a redirect to the authorization Uri although I dont provide grant type "authorization code". Wouldn't it make more sense if I was redirected to the token Uri if I only provide the password grant type?

Thanks

1
oauth-2.0single-sign-onspring-security-oauth2spring-cloud

1 Answers

3
votes

How do I protected resources by a grant_type? I want to secure my REST API with client_credentials

Use an OAuth2 access rule and specify that you want client only. E.g. use the #oauth2 expression variable and #oauth2.isClient() (source code here).

the password grant type does not need a client secret

Wrong. You need to authenticate the client. If it doesn't have a password it's not very secure, but you can do that (use an empty password) if you want to.

If I have a client app with @EnableOAuth2Sso I only get a redirect to the authorization Uri although I dont provide grant type "authorization code". Wouldn't it make more sense if I was redirected to the token Uri if I only provide the password grant type?

No, the token endpoint is a back channel and it doesn't work like that (even supposing you allowed tokens to be granted from a GET, what would the user do with the response?). There is no protocol for external web applications to use a password grant (it's primarily for native apps). In a web application you should use the auth code.