Types of authentication in OAuth2 in Spring: How does authentication via user credentials work?

2
votes

I am currently trying to implement a web service (API) with OAuth2 authentication using Spring Security OAuth. As far as I understood, given a user, a client app and a server, the authentication process is as follows:

  1. User requests resource from server via client
  2. Client retrieves request token from server
  3. Server responds with a temporary request token and a redirect URL
  4. Client loads web page (redirect URL) and lets user enter credentials in order to authenticate the request token. The form inputs are sent to the server, input is unknown to client.
  5. Server replies with an authorization code, which is handed to the client
  6. Client uses authorization code to retrieve an access token (and, optionally, a refresh token if one was requested)
  7. User hands access token to client
  8. Client uses access token to retrieve requested resource

In Spring OAuth, there are three grant types to request an access token:

Authorization Code, which is the method I described above, refresh token, and user credentials. I don't know how retrieval by user credentials works, is it similar to retrieval via refresh token?

1
oauth-2.0spring-security-oauth2

1 Answers

2
votes

A couple of statements you are making above are incorrect. Probably it's a good idea if you have another look into the OAuth2 spec: https://tools.ietf.org/html/rfc6749

To concentrate on your question I just refer to the last paragraph of your question here after.

OAuth2 supports 4 grant types, namely 'Authorization Code', 'Implicit', 'Resource Owner Password Credentials' and 'Client Credentials'. The one you are refering to as 'user credentials' would be 'Resource Owner Password Credentials'. In this grant type you loose OAuth's benefit of not having to hand over resource owner (aka user) credentials to the client. However it still has the benefit of not having to store the password on the client and sending it for each resource request, since a token is used instead. The process flow is as following:

  1. resource owner sends credentials to client
  2. client sends credentials to authorization server
  3. server returns access token (and optinally a refresh token)
  4. client uses access token in subsequent request to ressource server

So yes, you could say that the flow of the Resource Owner Password Credentials grant is similiar to the flow when a client already has a valid refresh token (from which ever grant).