Announcement Announcement Module
No announcement yet.
Spring OAuth 2.0 uses session Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring OAuth 2.0 uses session

    I'm using spring-OAuth 1.0.0.M3. I found that after first client request by a token, Spring creates a session for that client, and that way client can send request without any token thereafter. I think it can result some problems.
    In addition, I prefer that resource owner could not call services that is provided only for oauth services. How can I prevent it?
    Thank you.

  • #2
    I don't think the client implementation in SECOAUTH sets cookie headers, so there is no way for it to access the session. I can see that maybe the framework should clean up such sessions if they are created, but I'm not sure that they are. If you think there is a problem with the framework, then a test case would be really useful.

    A session is needed for the resource owner's browser access for the authorization flow, but the client doesn't need a session because it only accesses stateless endpoints (at least in the OAuth flow).

    I didn't understand your second question. What is it that you need? How would a resource owner call a service?


    • #3
      Thanks Dave for your attention.
      let's describe the problem by a sample:
      I use a browser for testing my OAuth server instead of spring OAuth client.
      I take a token(for example "xxx"), then I call service /myservice?oauth_token=xxx
      The server returns result. After first request I can call: /myservice
      and it uses previous token! but It doesn't happen on other OAuth server like google.
      another problem is that when resource owner logins to my server, he/she can call: /myservice
      but I want only clients use my OAuth service.


      • #4
        I see. If you use a browser to access your service then indeed a session will be created by default. Normal API clients would not store the cookie though, so it doesn't seem all that relevant. If you care about it raise a JIRA ticket because that endpoint is due for a big refactor soon, and we could potentially enforce the statelessness by default. I think Spring Security does allow you to switch off Session persistence of the current authentication - you could check the core Spring Security manual, or post in the main forum.

        As far as protecting the access from non-API clients, Spring Security allows you to secure individual URLs, e.g. <intercept-url pattern="/myservice" access="SCOPE_READ_ONLY"/> would protect your service from clients that don't present an access token with scope="read_only".

        N.B. the "oauth_token" request parameter is obsolete (now it is "access_token"). You should upgrade to 1.0.0.M4 at least as soon as possible.