RESTful服务上的自定义手动Oauth2身份验证

Question

I am developing some RESTful services for our mobile app using Spring Boot. I succesfully implemented Oauth2 authentication with our registration using username and password. Users can authenticate by using username and password. Also our client want to be authenticated with their custom token. They have a web service that you send token and response is true or false.

My first thought was, I can write a service like /custom-login and that service accepts custom token. In my service I can check this token with external service and if it is valid I call oauth2 authentication and return oauth2 authentication response.

How can I implement custom authentication oauth2 ?

Answer 1

OAuth2.0 spec allows for custom grant types,

So your auth server can create an custom grant type,

for eg: let's assume your wanted to authenticate with Google using Google access token, so you will create new grant_type called google_token

So now when your users wanted to authenticate using Google access token , they will pass like

grant_type=google_token&client_id=clientId&client_secret=secret&google_token=google-access-token

Then your auth server can verify the access token with Google and optionally verify client is issued to, etc and once verified , it can return your own access token

This applies for third party auth severs, so you can create number of custom grant types