Spring Oauth2客户端和用户凭证组合

Question

I am developing an app secured with Spring Oauth2, password flow.

But I'm still confused about difference between UserDetailService and ClientDetailsService flows in Spring.

As I understand from OAuth2 specification, client and user are different entities. Client has clientId , clientSecret and some grants , and User has username , password and also some grants .

Multiple users use the same client (mobile app or web browser in my case).

So I need to authenticate some user and provide it with an access token.

I have implemented both UserDetailsService and ClientDetailsService (with all needed infrastructure: AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter) and during authentication I see, that username from request is passed as clientId into clientDetailsService and as username into userDetailsService.

But I thought it should be more complex process like for authentication request client should provide both client credentials and user credentials so then I can verify client (is it registered in my system) and its grants then verify user and its grants and then return an access token.

My questions:

1. Do I understand the process correctly?
2. Are client grants and user grants of the same meaning?
3. What classes should I customize to separate verification of client and user credentials?

Answer 1

Solution is stupid simple.

The client and the user are really different entities To obtain access token you need to complete basic authentication with Base64 encoded client credentials in header and username/password of the user in params .

Header pseudocode:

Basic Base64("client_id:client_secret")

Params:

username=username, password=password, grant_type=password

This will return you access_token, refresh_token and some extra info.