使用OAuth2在Spring Security中进行用户授权

Question

I'm currently investigating OAuth2 with spring-security and spring boot. Although the concept of this protocol is quite clear to me the implementation details are not (spring does not provide many examples and tutorials to work with). Because of that I would be very grateful for answering my questions below:

1. What is purpose of "password" grant type? OAuth2 specs doesn't mention about it. Is it just Spring implementation of some kind "authorization shortcut"?
2. How does resource server handle access tokens (check if it is still valid, scope etc.)? Does I need to implement something or it is provided by Spring Security and ResourceServerConfig?
3. How RS will know which user (not client) has requested resources? Specific user resources are bound with ids, unique usernames and so on, does token have this kind of information? How to I retrieve it in order to use in resources controllers?

4. Authorization server (correct me if I'm wrong) is able to check if Client application has permission to requested resources or not. As I understand it shouldn't be aware of Users (Resources Owners). In situation where I authenticate via Google, Facebook or some other service user authentication is their case. What about application where OAuth2 and Resources Server are one application (I'm currently developing such one for test purposes), where I should put UserDetailsService? And how combine it in order to authorize client (js generated from app in this case) at first, then user (Resource owner) and generate token? Currenly I have implemented ClientDetailService and injected to configuration. Where should I inject UserDetailService?

    @Configuration @EnableAuthorizationServer public class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Autowired private MongoClientDetailsService cds; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.withClientDetails(cds); } } 

5. Are there some JS libraries that helps with authorization flow for custom applications like hello.js which supports (as far I as know) well known services?

Any help would be appreciated:)

Answer 1

That's a lot of questions; let me start by answering 3:

1. the grant_type with the value password is the official reserved value for the Resource Owner Password Credentials grant type as shown in the spec here: https://tools.ietf.org/html/rfc6749#section-4.3.2 so it is not Spring specific or custom

2. the RS can validate the token itself if it is self-contained and structured (eg a JWT) or else it will need to make a callback to the Authorization Server to validate it

3. the validation result from step 2. may include information about the user (or: Resource Owner) who granted access to the client