Spring security oauth2 : grant_type=password Authentication
Question
I am using Spring Oauth 2 to secure a web application and to implement a three Legged security system and when it comes to using a
grant_type=password
I've noticed that the URL used to get a token for a user is:
Method : POST + Basic-Authentication header for the client
http://host:port/api/oauth/token?grant_type=password&username=xxxxx&password=xxxx
And my question:
Is this approach secure enough since it shares user's credentials on the URL ,if it is not what are the alternatives or improvements?
Is adding an SSL certification to the host would be a solution to that ?
Thanks
1 answers
solution1
1 2015-11-25 11:22:39
Plaintext authentication over an encrypted medium is not uncommon - so unencrypted passwords over an encrypted connection.
However , I would not send credentials in the URL. It looks bad and the same user might bookmark that URL.
You can put the credentials in the HTTP Header instead, and as long as you're sending them over an encrypted connection its ok.
The other option you have is:
- Have the server create public and private keys for itself
- Send the public key with the authentication/login pag
- JavaScript encrypts the username and password with the public ke
- Send over HTTP or HTTPS (still I would put this in the Headers rather than URL)
- Server uses private key to decrypt and authenticate credentials
tl;dr
The easiest solution is, HTTPS and plaintext credentials in the HTTP Headers
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.