stackoom
  简体   繁体   中英

Spring Security oauth 2 Disable Client authentification on TokenEndPoint with grant_type “password”

 原文  2017-08-01 14:53:18       java/ spring-security/ oauth/ spring-security-oauth2

Question

My application use a Spring Security Oauth2 configuration to manage the authentification.

Currently, my request need those info: grand_type, username, password, client_id and client_secret.

But, I don't need the client authentification (client_id + client_secret) for my application. So, how i remove this authentification?

Here is my current configuration:

AuthorizationServerConfigurerAdapter: 

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

@Autowired
private TokenStore tokenStore;

@Autowired
private UserApprovalHandler userApprovalHandler;

@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

    clients.inMemory()
        .withClient("khk")
        .autoApprove(true)
        .authorizedGrantTypes("refresh_token", "password")
        .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
       .scopes("openid")
        //.secret("changeme")
        .accessTokenValiditySeconds(30000)
        .refreshTokenValiditySeconds(60000);
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
            .authenticationManager(authenticationManager).pathMapping("/oauth/token", "/connect").accessTokenConverter(accessTokenConverter());
}

public AccessTokenConverter accessTokenConverter() {
    return new DefaultAccessTokenConverter();
}

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
}
}

WebSecurityConfigurerAdapter: 

@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private ClientDetailsService clientDetailsService;

@Autowired
private DataSource dataSource;

@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication().dataSource(dataSource)
    .usersByUsernameQuery("select us_pseudo, us_passwd, us_enabled from t_user where us_pseudo=?")
    .authoritiesByUsernameQuery("select us.us_pseudo, gr.name from t_user us, t_group gr, r_groupuser gu where us.us_id = gu.groupuser_user_id and gr.gp_id = gu.groupuser_group_id and us.us_pseudo = ?");
    //.groupAuthoritiesByUsername("TO DO FOR RIGHTS");
}


@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}


@Bean
public TokenStore tokenStore() {
    return new InMemoryTokenStore();
}

@Bean
@Autowired
public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
    TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
    handler.setTokenStore(tokenStore);
    handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
    handler.setClientDetailsService(clientDetailsService);
    return handler;
}

@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
    TokenApprovalStore store = new TokenApprovalStore();
    store.setTokenStore(tokenStore);
    return store;
}

}

ResourceServerConfigurerAdapter: 

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

private static final String RESOURCE_ID = "SPRING_REST_API";

@Override
public void configure(ResourceServerSecurityConfigurer resources) {
    resources.resourceId(RESOURCE_ID).stateless(false);
}

@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/connect").permitAll()
            .anyRequest().permitAll()
            .and()
        .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}

}

1 answers

solution1
 0 ACCPTED  2017-08-03 19:04:35

The short answer is: you need that information to use oauth2 . It's not optional information that you can just remove and get everything working.

Remember that the purpose of the client_id and the client_secret is to authorize your client app itself. Depending on the grant type you are using your client app will need just the client_id or both.

If you want just the client_id you could choose between the Autorization Code or the Implicit grant type. But first I would recommend to read this article to understand the different grant types and determine which one best suits in your case.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security oauth2 : grant_type=password Authentication Spring OAuth2 Client grant_type=password example grant_type in Spring-Security-OAuth2 Spring Boot 2 Spring-Security 5 OAuth2 support for client_credentials grant_type oAuth2 client with password grant in Spring Security Can i use both grant_type=password and grant_type=authorization_code in same project for oauth2 in spring boot Spring boot Oauth2 grant_type password always return invalid_grant Bad Credentials Oauth 2.0 with grant_type=client_credentials? Difference between grant_type=client_credentials and grant_type=password in Authentication Flow? How to throw any Exceptions for wrong credentials when grant_type=client_credentials in Spring Boot Oauth2 Authorization Server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM