Announcement Announcement Module
No announcement yet.
Oauth with Anonymous User Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Oauth with Anonymous User

    The requirement is that the client application has :
    - No username/pass
    - Each user who comes to the app will end up with a new session and hence should be able to do the oauth handshake based on their credentials with the provider app.

    The above doesn't work because once user A with session A does the is authorized to use the resources, then user B with session B is also getting authorized automatically.

    Digging into the code specifically InMemoryOAuth2ClientTokenServices on the client side we find that the token keys are specific to the user. Since both user A and user B are anonymous users then they have the same principal name which is "anonymousUser" because that's the default user spring security creates.

    I was thinking that I could implement my own OAuth2ClientTokenServices and have the keys be "anonymousUser" + sessionId.

    Will be getting the sessionId from ((WebAuthenticationDetails) authentication.getDetails()).getSessionId();

    Is this a good solution? Is there a better way to do this ?

    Thank you

  • #2

    Your proposed solution seems reasonable. The TokenServices is the right place to handle the user-to-token mapping.

    Good luck!