Announcement Announcement Module
Collapse
No announcement yet.
oauth2 - Combination client_credentials and password grant types Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • oauth2 - Combination client_credentials and password grant types

    I'm trying to create an api that reveals certain functionality based on the app that is accessing it (using the client-credentials grant type), and then once the user logs in it exposes more functionality. The permissions granted to the user whether they've logged in or not here are secured by ROLE_CLIENT1. Here is my client configuration:
    Code:
    <oauth:client client-id="client1" resource-ids="api"
    		authorized-grant-types="client_credentials,password,refresh_token"
    		authorities="ROLE_CLIENT1" scope="read,write"
    		secret="secret" />
    I also have a custom userDetailsService that pulls my user's details and roles from the database and populates them into a custom UserDetails object. The configuration for that is here:
    Code:
    <security:authentication-manager alias="authenticationManager">
    	<security:authentication-provider
    		user-service-ref="userDetailsService">
    		<security:password-encoder ref="passwordEncoder">
    			<security:salt-source user-property="username" />
    		</security:password-encoder>
    	</security:authentication-provider>
    </security:authentication-manager>
    My problem is that the user doesn't have the ROLE_CLIENT1 role when I create my userDetails object. How do I append authorities granted by the client to the list of authorities in my database that the user has been granted?

    Using M6 release.

  • #2
    If I understand correctly, I don't think you should need to be appending authorities anywhere. It looks to me like just a question of the access decision, and you can implement that in a number of ways, but possibly the most convenient is to use a SpEL expression, e.g.

    Code:
    access="oauthClientHasRole('ROLE_CLIENT1') or hasRole('ROLE_USER')"
    (I'm sketching because the requirement is not yet precise enough to give you a complete expression.) You can find out how to enable expression parsing in the Spring Security user guide, or take a look at some samples, e.g. https://github.com/cloudfoundry/uaa/...lients.xml#L15.

    Comment


    • #3
      Hey Dave,

      I just typed out a page long reply before reading over your reply again and realizing I think you gave me exactly what I needed. We're already using SpEL to secure our methods. Will the oauthClientHasRole expression check the roles of the client even when a password grant type is used? If so, that's exactly what I need. I just missed it in the documentation.

      Thanks for your help and all the great work you've done on this project.

      Originally posted by Dave Syer View Post
      If I understand correctly, I don't think you should need to be appending authorities anywhere. It looks to me like just a question of the access decision, and you can implement that in a number of ways, but possibly the most convenient is to use a SpEL expression, e.g.

      Code:
      access="oauthClientHasRole('ROLE_CLIENT1') or hasRole('ROLE_USER')"
      (I'm sketching because the requirement is not yet precise enough to give you a complete expression.) You can find out how to enable expression parsing in the Spring Security user guide, or take a look at some samples, e.g. https://github.com/cloudfoundry/uaa/...lients.xml#L15.

      Comment

      Working...
      X