Announcement Announcement Module
No announcement yet.
Sparklr2 Demo Questions Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Sparklr2 Demo Questions

    So I'm a bit confused with the cURL responses I'm getting back, and it could be entirely myself and learning Spring Security OAUTH2 and cURL at the same time.
    1. Running this actually returns a bearer token. I expected this would not be possible because the endpoints are secured with basic authentication:

      curl --data  "grant_type=implicit&client_id=my-less-trusted-autoapprove-client" http://localhost:8080/sparklr2/oauth/token
    2. Currently the only way I am able to return one of the photos is by using the JSESSIONID as shown below. How can I used an issued bearer token to return a resource with the example app? I assumed I shouldn't be able to get any sort of response other than access denied without a bearer token. Or is it because the tokenStore is the in memory store so JSESSIONID = bearer token in a sense?

      curl -s -D -X -v -b JSESSIONID=<JSESSIONID> http://localhost:8080/sparklr2/photos/1
      I had expected something like this would have returned my resource instead:

      curl -H "Authorization: Bearer <BEARER_TOKEN>" http://localhost:8080/sparklr2/photos/1

    I guess the example has confused me a bit with the JSESSIONID and still being able to get a bearer token without being authenticated. I may be completely missing something, but it doesn't feel like I am seeing OAUTH2 or at least what I would expect as OAUTH2.

    Thanks in advance.

  • #2
    On point #1: that's a surprise and I have to say it must be a bug. It only works because the client you picked doesn't have a secret, and hence can be authenticated purely on the client id, but an implicit grant doesn't make any sense from the /token endpoint, so clearly that needs to be fixed.

    On point #2: the /photos endpoints are not exclusively OAuth2 endpoints, so I would expect an authenticated session to be able to access them as well. The bearer token should work as well, but only (obviously) if it represents a user with the right authorities. The token that you cheated out of the /token endpoint in #1 has no user data (I would have thought), so I doubt if it would work. You can tell from the logs what the access decision was.


    • #3
      Thanks Dave. That confirms I'm not losing my mind .

      For #1 am I correct in assuming without that bug present I should have to pass the JSESSIONID I get back from the login page as part of the curl request for the /oauth/token endpoint with any of the grant types to receive my token? So the request should look something like this:

      curl -D -v -b JSESSIONID=<JSESSIONID> --data "grant_type=implicit&client_id=my-less-trusted-autoapprove-client" http://localhost:8080/sparklr2/oauth/token
      For #2 is there a curl command you could provide for the demo that would return a token that would allow me to request the photo resources?

      Just trying to have a thorough understanding of what is going on with Spring and Oauth2 before I implement my own server and endpoints.

      Thanks Again.


      • #4
        No, you can't get a token from the /token endpoint with a session cookie because it's a back channel for the clients (not a user-facing endpoint). You can get a token from the /authorize endpoint inthe way you are trying, except you need response_type=token (not grant_type=implicit). You have to use the autoapprove client though otherwise there is an explicit confirmation required from the user (so it's not a single curl). Autoapproval is a sparklr2 feature not a Spring OAuth feature (it is there to demonstrate the use of UserApprovalHandler).

        You can get a token from the /token endpoint using the password grant, e.g. curl -d grant_type=password -d username=marissa -d password=koala my-trusted-client-with-secret:[email protected]:8080/sparklr2/oauth/token. For an authcode grant you need the authcode, so it's not a single command.


        • #5
          Thank you very much Dave. I added a scope to that client ID in the curl and now I'm getting back what I expected with the token. I may have some more questions as I make my way through the Spring oauth2 module. It's much appreciated to have some like yourself responding to these types of questions.