spring-security-oauth2 - checkClientDetails from Resource Server

0
votes

I am working on an OAuth 2.0 Resource Server app, using spring-security-oauth2-2.0.10.RELEASE. I am able to secure a resource to a specific scope, but noticed when spring-security-oauth2 runs through the OAuth2AuthenticationProcessingFilter, it eventually executes OAuth2AuthenticationManager.checkClientDetails(). That method calls clientDetailsService.loadClientbyClientId().

My question is, should I register a ClientDetailsService in a Resource Server? Based on the Spring OAuth developer guide, I thought the ClientDetialsService was only required for Authorization Server implementations.

Thanks!

1
spring-security-oauth2

1 Answers

3
votes

In OAuth2AuthenticationManager.checkClientDetails(), if the clientDetailsService is null, it just return peacefully without doing anything. So, it is ok to leave clientDetailsService null as default.

If it is not null, the authentication manager will check the requested scopes are allowed by client details returned from clientDetailsService.loadClientByClientId().

Spring provides InMemoryClientDetailsService and JdbcClientDetailsService. In my opinion, the first one only can be used when combining auth server and resource server in the same site. The second need a jdbc connection from resource server to a database that auth server used to store the client details.

The best solution may be implementing a RemoteClientDetailsService to get client details from a customized auth server endpoint(like /oauth/check_client), as what the RemoteTokenServices dose.