Announcement Announcement Module
No announcement yet.
authorize specific variable value Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • authorize specific variable value

    I'm making this credit system. I got my provider where users can make a account and topup their credits. Client websites should be able to access these credits as some kind of payment like using PayPal.

    The problem I noticed is that OAuth usually gives permission to access certain url's. While I need clients to authorize not only an url but also a specific amount of credits. So not only for example authorize the use of images but also an amount.

    I used as an example for my provider and client. But I can't seem to figure out how to add a variable in the authorization. And for example only that specific value can be used in my 'payment' api of my credits. So if I authorize for example a client website to use my credits I only want them to get 5 credits and no more.

    I'm quite new to spring and oauth, so maybe the solution to my question is very straight forward. I hope that someone wants to help this noob anyway



    PS If my explination isn't clear enough, please let me know and i'll try to clearify it further what I need.

  • #2
    Note that the article you quote, while perfectly good and very nicely written, refers to an old version of Spring Security OAuth, and things have moved on quite a lot since then. The article uses OAuth2 so I'll assume that's what you are doing as well.

    I don't think OAuth is really designed to be able to authorize a client to access a resource with arbitrary dynamic parameters. You can protect resources, and you can narrow the access of clients by referring to scopes. Scopes are just arbitrary strings as far as OAuth is concerned - it's up to the resource server to interpret them, so I suppose there might be some crazy way to parse the scope and extract a credit limit from it, but I don't think that's really in the spirit of the spec, and there's no support for it in Spring (scopes are hard-coded lists, so the best you could do would be to have a preset list of limits).

    I hope that helps. If you figure out what to do let us know.


    • #3
      Thank you for your feedback.

      I'm currently looking into . I suspect that that could help a lot


      • #4
        We are developing an OAuth Provider and have a very similar requirement. The best example is where we have a client application calling our payment service and want to allow the resouce owner to authorise a one time token that equates to a specifc amount charged.

        Ie the user will get an an authorisation page saying something along the lines of "Application X wishes to charge you 4.99 for {some description}. Do you allow Yes/No".

        I can currently see two ways to support this (ignoring for now Spring OAuth on the client side)

        1) Embed the parameters in the scope as described above and parse the scope when the token is used to check the parameters.

        2) By convention with these type of scopes only allow one scope to be authorized at a time and pass the values as additional parameters in the HTTP authorize request. We already have this restriction imposed for 'one time' tokens (as they are revoked when used) Additionally we could pass in the display description for the approval page this way also.

        We would also implement a scope registry and validate the requests either way to ensure the correct parameters are supplied.

        The problem with (1) is that the ClientCredentialsChecker is hard wired in (no interface) and this checks the scopes against those registered for the client so dynamic scope names dont work. Would it be possible to make this more flexible?

        I thought (2) might be easier to implement with Spring Security OAuth as the client AuthorizationRequest holds the intial request parameters in a map so the idea was when the token was used to pull these out and check them against the request. However the extra paramaters are lost in AuthorizationCodeTokenGranter when a new instance of AuthorizationRequest is created for the token. Is there any reason why this is done or could this be changed to pass any additional parameters into the new object?