Announcement Announcement Module
No announcement yet.
Oauth 2 co-exist with Oauth 1.0a in the same app? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Oauth 2 co-exist with Oauth 1.0a in the same app?

    Hello, there,

    We mean to put Oauth 2 token acquisition code in the same web application as the Oauth 1.0a.
    Currently our OAuth 1.0a is implemented using SS Oauth 3.17 and SS 2.0.5. Guess they will have to be upgraded to the higher version. Has anybody tried that before? Is there sth I need to watch out for?

    Thank you for any hints/advaices

  • #2
    I've never actually done it, but it should be possible. It was designed to be so.

    One thing you may need to watch out for is the URL paths of the filters... they may conflict.

    If you run into any problems, be sure to log a JIRA issue.


    • #3

      Thank you for the reply. I figured out that I'm gonna put the token acquisition code for OAuth2 token in another war, leaving the Oauth 1.0a token acquisition path untouched. So I don't need to worry about using different versions of SS and Oauth library there.

      But I would still need to have my REST API application able to process access tokens retrieved either way. We used Oauth 3.17's ProtectedResourceProcessingFilter and I'm just wondering if it is capable of digesting Oauth2 access tokens. Upgrading the ProtectedResourceProcessing filter would be a lot of work as we have other stuff using SS in the same REST appliaction.

      Thank you for sharing any hints/advice


      • #4
        Unfortunately, the ProtectedResourceProcessingFilter isn't wired up with how to process OAuth 2 tokens.


        • #5
          Hi, Stoic,

          Thank you for the nice reply. I am thinking that as we need to be able to take access token from Oauth1 and 2 in the same app, and after reviewing the protected resource filter in OAuth2's pack, maybe we can just insert a filter by ourselves and what it does is to transfer the Oauth2 access token to an old fasioned SS 2.0 Authentication object and put it in security context holder.

          So this filter may know nothing about OAuth2's ClientAuthentication object in the library (which I don't see it is often used). Is there gonna be any problem/risk doing that? What do you think?

          Hope I make it clear. Thanks a lot for your very kind helps