Announcement Announcement Module
Collapse
No announcement yet.
use of password grant type even though we are passing user credentials over network Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • use of password grant type even though we are passing user credentials over network

    deployed the sparkl2 application in Tomcat and tried to access photos using below URL using Rest client tool by passing access tokens without deploying Tonr2 application(consumer or client).

    please check below generating access tokens with different grant types[password,authorization_code].

    1)My Requirement is need to protect Spring RESTful Webservices using OAuth2.Which grant type do i need to use?

    2) I heard that OAUTH is popular and useful because we can access other resource information without exchanging user/password over the network
    but my main doubt is if we go for password grant type ,in this case we are sending username/password[marissa/koala ,paul/emu] over the network right to generate the acess token.then what is the use of it.please let me if i am wrong?

    3)generating tokens using password grant type.
    http://localhost:8080/sparklr2/oauth...nt-with-secret

    if i don't set scope=read in above URL then I am getting below exception.
    {"error":"insufficient_scope","error_description": "Insufficient scope for this resource","scope":"READ"}
    if i try to access the photos in sparklr2 by appending accesstoken that generated with above URL. [http://localhost:8080/sparklr2/photo...0f&format=xml]

    sparkl2 spring-servlet.xml
    *************************
    Code:
    <?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
    	xmlns:mvc="http://www.springframework.org/schema/mvc"
    	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
    		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
    
    	<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
    		xmlns="http://www.springframework.org/schema/security">
    		<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    		<anonymous enabled="false" />
    		<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    		
    		<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
    		<access-denied-handler ref="oauthAccessDeniedHandler" />
    	</http>
    
    	
    	
    	<http pattern="/photos/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
    		access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    		<anonymous enabled="false" />
    		<intercept-url pattern="/photos" access="ROLE_USER,SCOPE_READ" />
    		<intercept-url pattern="/photos/**" access="ROLE_USER,SCOPE_READ" />
    		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    		<access-denied-handler ref="oauthAccessDeniedHandler" />
    	</http>
    
    
    	<http access-denied-page="/login.jsp?authorization_error=true" disable-url-rewriting="true"
    		xmlns="http://www.springframework.org/schema/security">
    		<intercept-url pattern="/oauth/**" access="ROLE_USER" />
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<form-login authentication-failure-url="/login.jsp?authentication_error=true" default-target-url="/index.jsp"
    			login-page="/login.jsp" login-processing-url="/login.do" />
    		<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
    		<anonymous />
    	</http>
    
    	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    		<property name="realmName" value="sparklr2" />
    	</bean>
    
    	<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    		<property name="realmName" value="sparklr2/client" />
    		<property name="typeName" value="Basic" />
    	</bean>
    
    	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
    
    	<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    		<property name="authenticationManager" ref="clientAuthenticationManager" />
    	</bean>
    
    	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
    		<constructor-arg>
    			<list>
    				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
    				<bean class="org.springframework.security.access.vote.RoleVoter" />
    				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</list>
    		</constructor-arg>
    	</bean>
    
    	<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    		<authentication-provider user-service-ref="clientDetailsUserService" />
    	</authentication-manager>
    
    	<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
    		<authentication-provider>
    			<user-service id="userDetailsService">
    				<user name="marissa" password="koala" authorities="ROLE_USER" />
    				<user name="paul" password="emu" authorities="ROLE_USER" />
    			</user-service>
    		</authentication-provider>
    	</authentication-manager>
    
    	<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    		<constructor-arg ref="clientDetails" />
    	</bean>
    
    	<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
    
    	<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    		<property name="tokenStore" ref="tokenStore" />
    		<property name="supportRefreshToken" value="true" />
    		<property name="clientDetailsService" ref="clientDetails" />
    	</bean>
    
    	<bean id="userApprovalHandler" class="org.springframework.security.oauth.examples.sparklr.oauth.SparklrUserApprovalHandler">
    		<property name="autoApproveClients">
    			<set>
    				<value>my-less-trusted-autoapprove-client</value>
    			</set>
    		</property>
    		<property name="tokenServices" ref="tokenServices" />
    	</bean>
    
    	<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
    		user-approval-handler-ref="userApprovalHandler">
    		<oauth:authorization-code />
    		<oauth:implicit />
    		<oauth:refresh-token />
    		<oauth:client-credentials />
    		<oauth:password />
    	</oauth:authorization-server>
    
    	<oauth:resource-server id="resourceServerFilter" resource-id="sparklr" token-services-ref="tokenServices" />
    
    	<oauth:client-details-service id="clientDetails">
    		<oauth:client client-id="my-trusted-client" authorized-grant-types="password,authorization_code,refresh_token,implicit"
    			authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" access-token-validity="60" />
    		<oauth:client client-id="my-trusted-client-with-secret" authorized-grant-types="password,authorization_code,refresh_token,implicit"
    			secret="somesecret" authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" />
    		<oauth:client client-id="my-client-with-secret" authorized-grant-types="client_credentials" authorities="ROLE_CLIENT"
    			scope="read" secret="secret" />
    		<oauth:client client-id="my-less-trusted-client" authorized-grant-types="authorization_code,implicit"
    			authorities="ROLE_CLIENT" />
    		
    		
    	</oauth:client-details-service>
    
    	<mvc:annotation-driven />
    
    	<mvc:default-servlet-handler />
    
    	<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
    		
    		<sec:expression-handler ref="oauthExpressionHandler" />
    	</sec:global-method-security>
    
    	<oauth:expression-handler id="oauthExpressionHandler" />
    
    	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
    
    	
    
    	<bean id="photoController" class="org.springframework.security.oauth.examples.sparklr.mvc.PhotoController">
    		<property name="photoService" ref="photoServices" />
    	</bean>
    
    	<bean id="photoServiceUserController" class="org.springframework.security.oauth.examples.sparklr.mvc.PhotoServiceUserController">
    		<property name="userDetailsService" ref="userDetailsService" />
    	</bean>
    
    	<bean id="adminController" class="org.springframework.security.oauth.examples.sparklr.mvc.AdminController">
    		<property name="tokenServices" ref="tokenServices" />
    		<property name="userApprovalHandler" ref="userApprovalHandler" />
    	</bean>
    
    	<!-- Override the default mappings for approval and error pages -->
    	<bean id="accessConfirmationController" class="org.springframework.security.oauth.examples.sparklr.mvc.AccessConfirmationController">
    		<property name="clientDetailsService" ref="clientDetails" />
    	</bean>
    
    	<bean id="photoServices" class="org.springframework.security.oauth.examples.sparklr.impl.PhotoServiceImpl">
    		<property name="photos">
    			<list>
    				
    				
    			</list>
    		</property>
    	</bean>
    
    </beans>
    ****************************
    genarate the acess token using Grant_type= authorization_code
    Code:
    Getting autorization code from below url
    
    http://localhost:8080/sparklr2/oauth/authorize?grant_type=authorization_code&response_type=code&client_id=tonr&redirect_uri=http://localhost:8080/sparklr2/index.jsp
    
    
    http://localhost:8080/sparklr2/photos?access_token=6fa79700-7488-4336-9db1-3cfddcf60a4b&format=xml
    http://localhost:8080/sparklr2/photos/3?access_token=3e73b50f-74c1-4798-9216-b86d4894e4bb

  • #2
    1) it's up to you to pick a grant type appropriate for your client.

    2) password grant type does require the client to collect user credentials, and you a correct that this defeats the purpose if your reason for using OAuth is to avoid collecting them. In that case you should probably use auth code grant type.

    3) I'm not sure what the question was.

    Comment


    • #3
      we have decided to implement authorization_code grant type.how to store client_id,client_secret in DB instead of storing in configuration file.

      how to write standalone java client for authorization_code grant type if ?

      Comment


      • #4
        Originally posted by chaituu View Post
        how to store client_id,client_secret in DB instead of storing in configuration file.
        Try JdbcClientDetailsStore.

        how to write standalone java client for authorization_code grant type if ?
        Auth code grant is not well suited to standalone clients since it was designed to work through a series of HTTP redirects (which a browser will handle easily). That doesn't mean you can't do it, but you might need to (for instance) provide a web app that your users can log into and obtain a one-time code for authentication. Otherwise how can you stop your client from having to collect user credentials?

        Comment


        • #5
          but for Auth code grant we don't require user credentails(username/password) right. we require only client id,secret and redirect uri to get one-time code for authentication.how to setup a web app that your users can log into and obtain a one-time code for authentication

          am following below for Grant_type= authorization_code through REST client tool
          Code:
          Getting autorization code from below url
          
          http://localhost:8080/sparklr2/oauth/authorize?grant_type=authorization_code&response_type=code&client_id=tonr&redirect_uri=http://localhost:8080/sparklr2/index.jsp
          
          Getting Access Token from below url by putting authorization code that got from above url
          
          http://localhost:8080/sparklr2/oauth/token?grant_type=authorization_code&client_id=tonr&client_secret=secret&code=837NKx&redirect_uri=http://localhost:8080/sparklr2/index.jsp
          {"access_token":"577bf50a-cfc4-4450-b9ed-7b0325191b86","token_type":"bearer","refresh_token":"de1d1634-db74-4be4-8f45-304b11c12a4e","expires_in":43199}
          http://localhost:8080/sparklr2/photos?access_token=6fa79700-7488-4336-9db1-3cfddcf60a4b&format=xml
          http://localhost:8080/sparklr2/photos/3?access_token=3e73b50f-74c1-4798-9216-b86d4894e4bb

          Comment


          • #6
            If your example works then the client must be able to authenticate the user (e.g. it lives in a browser and stores cookies). What is your *real* client going to be like? If it isn't in a browser then you need to be able to handle the browser interaction, or else do the one-time code thing.

            Comment

            Working...
            X