Announcement Announcement Module
Collapse
No announcement yet.
autoApproveClients doesn't seam to work Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • autoApproveClients doesn't seam to work

    I'm trying to auto approve my clients after a successful login. But I always get redirected to localhost:8080/myapp/oauth/confirm_access instead to the configured and committed redirect url.

    The request is:
    http://localhost:8080/myapp/oauth/au...in%2Fapponizer (It comes from my spring social provider integration on client side, redirect url is configured on oauth server for this client)

    Code:
    <bean id="userApprovalHandler" class="ch.myapp.be.security.MyAppUserApprovalHandler">
    		<property name="autoApproveClients">
    			<set>
    				<value>my-trusted-client-with-secret</value>
    			</set>
    		</property>
    		<property name="tokenServices" ref="tokenServices" />
    	</bean>
    The implementation of MyAppUserApprovalHandler is a copy from SparklrUserApprovalHandler.

    In fact the following code in MyAppUserApprovalHandler resolves to false:
    Code:
    authorizationRequest.getResponseTypes().contains("token")
    How can I get this "token"? Is this a Client or Server configuration thing? Because I don't understand the bigger meaning: Is this a security hole if I add autoapprove? My understanding was I that the user don't have to approve again for certain resources to access them but still has to authorize himselfe.

    Problem occurs under: spring-security-oauth2-1.0.0.M6c
    Last edited by adrian.hoehn; May 25th, 2012, 04:48 AM.

  • #2
    According to http://forum.springsource.org/showth...ghlight=social I've changed my spring-social implementation to OAuth2Version.BEARER; but with no effect.

    The authorizationRequest.getResponseTypes() is still "code". Should the MyAppUserApprovalHandler chaged to this?
    Does there an example of spring-security-oauth & spring-social exist somewhere?

    Comment


    • #3
      The response_type parameter is part of the OAuth2 protocol, and if your client is a webapp then "code" is the right value. You should just be able to write your own UserApprovalHandler that ignores it. Why don't you do that?

      Craig Walls has some sample apps that use Social and Spring Security OAuth2 - maybe you can ask him directly or on the Social forum. It seems like your use case wouldn't be a typical one though (auto-approval is not very common, that's why it's a special strategy in sparklr2).

      Comment


      • #4
        Thanks Dave

        I just wasn't shure if I can ignore it. Thanks for the hint with "Craig Walls", I'll aks him.

        Comment

        Working...
        X