春季安全oauth2 client_credentials仅流

Question

I'm trying to use spring boot to create an oauth2 authorization that only supports the client credentials flow. As I understand that flow, the client accesses the /oauth/token endpoint directly. Is there a way to disable the /oauth/authorize endpoint in spring boot and allow direct access to /oauth/token without having to be fully authorized first?

@Configuration
@EnableAuthorizationServer
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        // TODO: Is there something I can do here to disable /oauth/authorize?
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // client details configuration
    }

}

Answer 1

I can't speak to disabling the authorize endpoint but you're right that you can go directly to the token endpoint with the client credentials flow. I'm probably restating something you already know but the credentials for a "client" (client_id/client_secret) are different from the credentials of a "user" (username/password). A "user" goes to the authorize endpoint so that the client can then get tokens from the token endpoint. A "client" (in the client credentials flow) provides the client credentials to the token endpoint directly. Do you need to disable the authorize endpoint?

So, for client_credentials flow, you don't need to go to authorize first (you don't need to disable it). Here's how you'd curl your token if your spring-boot authorization server was on localhost:8080:

curl -H "Authorization: Basic d2VhcHA6" -X POST http://localhost:8080/oauth/token?grant_type=client_credentials

where d2VhcHA6 is the base64 encoding of your "client_id:client_secret"