发表新帖
发表新帖

Is it possible to get an access_token from Spring OAuth2 server without client secret?

后端 未结
关注
4 1074
不思量自难忘°
不思量自难忘° 2020-12-16 06:57

I am using Spring Security\'s OAuth2 server implementation. I am trying to get the access_token from the servers\' /oauth/token endpoint using the OAuth2 \"Pass

相关标签:
4条回答
  • 不思量自难忘°
    2020-12-16 07:05

    According to the specification (RFC 6749), if the client type of your application is public, a client secret is not required. On the contrary, if the client type is confidential, a client secret is required.

    If Spring offers an API to set the client type, try to set the client type to public.

    0 讨论(0)
  • 余生分开走
    2020-12-16 07:05

    In the implementation of AuthorizationServerConfigurerAdapter override configure and set password encoder to raw text encoder (do not use it as a default password encoder!).

    @Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()")
                .passwordEncoder(plainTextPasswordEncoder())
                .allowFormAuthenticationForClients();
    }

    private PasswordEncoder plainTextPasswordEncoder() {
        return new PasswordEncoder() {
            @Override
            public boolean matches(CharSequence rawPassword, String encodedPassword) {
                return !StringUtils.hasText(encodedPassword) || passwordEncoder.matches(rawPassword, encodedPassword);
            }

            @Override
            public String encode(CharSequence rawPassword) {
                return passwordEncoder.encode(rawPassword);
            }
        };
    }

}

    Now, for OAuth client details (in memory or in a database), set the client secret to null. In this case, the client will be treated as public and will not require client_secret parameter. If you set client secret for OAuth client details (e.g. BCrypt hash), then the client will be treated as confidential. It will rely on default password encoder (e.g. BCrypt) and require client_secret parameter to be sent in order to obtain an access token.

    0 讨论(0)
  • 渐次进展
    2020-12-16 07:19

    Spring Boot's implementation requires that a client-secret be passed in to authenticate. You can however override this by creating a bean of type AuthorizationServerConfigurer and configuring it yourself. This is the link to the documenation...

    0 讨论(0)
  • 青春惊慌失措
    2020-12-16 07:19

    Use basic auth but leave the password empty.

    0 讨论(0)
 看不清?
提交回复
热议问题