Spring Security 5 OAuth2 client password grant type

问题

I have 2 applications:

1. Spring Application 1 is client and resource server.
2. Spring Application 2 is authorization server.

User will be able to login in Application 1 and access its resources. And I want to implement the following flow:

User enter his credentials in login form -> Application 1 will get token from Application 2 using user credentials and its clientId with password grant type -> Access resources of Application 1 with token.

The question is if Spring Security 5 supports password grant type for client? I found all rest grant types, but not password in Spring Security 5 implementation.

回答1:

Spring Security 5.1.x doesn't support it, see Spring Security Reference:

6.6 OAuth 2.0 Client

The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.

The following main features are available:

• Authorization Code Grant
• Client Credentials Grant
• WebClient extension for Servlet Environments (for making protected resource requests)

HttpSecurity.oauth2Client() provides a number of configuration options for customizing OAuth 2.0 Client.

However, you could use Spring Security OAuth2, see OAuth 2 Developers Guide:

Accessing Protected Resources

As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails if you can in favour of AuthorizationCodeResourceDetails. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).

Or you could update to Spring Security 5.2.x, see Spring Security Reference:

11.2 OAuth 2.0 Client

The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.

At a high-level, the core features available are:

Authorization Grant support

• Authorization Code
• Refresh Token
• Client Credentials
• Resource Owner Password Credentials

来源：https://stackoverflow.com/questions/53098955/spring-security-5-oauth2-client-password-grant-type