Announcement Announcement Module
No announcement yet.
Userless access Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Userless access

    Looking for some guidance. I am building Rest API where some of our endpoints donít pertain to specific user information. Auth token is not required for these endpoints but I would still like for a consumer key's Client ID to be passed to the endpoint. Is there a grant type in OAuth that I should be using? or is this something to be done outside of OAuth manually in the controller.

  • #2
    OAuth2 has a client_credentials grant type, but if you don't mind sending the client id with every request I would suggest that HTTP Basic is more straightforward. The advantage of using OAuth2 would be the token management (expiry, revocation), but if you don't need that, there's not much point.


    • #3
      I'd like to try client_credentials but don't know how to specify one. In my applicationContext-security.xml the only supported grand types are "Grant types that are authorized for the client to use (comma-separated). Currently defined grant types include "authorization_code", "password", "assertion", and "refresh_token". Default value is "authorization_code,refresh_token".

      I am using spring-oauth-version: 1.0.0.M3


      • #4
        M5 was released quite a while ago, and there have been many changes (also to the spec, so the names are different). I would upgrade. Note that the OAuth2 support is in a separate jar file since M4.