java - How to generate token without client_secret in Spring Security OAuth2 -


this question has answer here:

i have spring security oauth 2.0 based application, configured jdbc , ldap. per oauth 2.0 specification, client secret must.

when generate token using following url generates token , works fine:

/oauth/token?grant_type=password&client_secret=test&client_id=test&username=test&password=test

and when try generate token without client_secret gives:

401: unauthorized

error_description: "bad user credentials"

but want generate token without client_secret like:

/oauth/token?grant_type=password&username=test&password=test

securityconfig.java: 

 @configuration  @enablewebsecurity  @enableglobalmethodsecurity( prepostenabled = true )  public class applicationsecurityconfig extends websecurityconfigureradapter                               {      private static final int embedded_ldap_server_port = 33388;      @autowired     private userauthenticationprovider userauthenticationprovider;          @autowired     private ldapauthenticationprovider ldapauthenticationprovider;      @autowired     private authtokenstore oauthtokenstore;           @autowired     private authdelegatingauthenticationentrypoint  delegatingauthenticationentrypoint;      @override     @qualifier("authenticationmanagerbean")     @bean     protected authenticationmanager authenticationmanager() throws exception {         return new providermanager(arrays.aslist((authenticationprovider) ldapauthenticationprovider,userauthenticationprovider));     }     @override     protected void configure(httpsecurity http) throws exception {                http              .csrf().disable()              .sessionmanagement()                   .sessioncreationpolicy(sessioncreationpolicy.stateless)                   .and()              .authorizerequests()                   .anyrequest().authenticated()                   .and()              .exceptionhandling().authenticationentrypoint(delegatingauthenticationentrypoint);     }      @bean     public resourceservertokenservices tokenservice() {          defaulttokenservices tokenservices = new defaulttokenservices();         tokenservices.settokenstore(oauthtokenstore);         tokenservices.setreuserefreshtoken(true);         return tokenservices;     }

unfortunately there no easy way around problem. spring security interprets standard strict:

this quote oauth2 spec, rfc 6749, section 4.3.2 (resource owner password credentials grant - access token request):

if client type confidential or client issued client
credentials (or assigned other authentication requirements), the
client must authenticate authorization server described
in section 3.2.1.

for spring security password grant falls category. section 3.2.1 requires client id , client password.

also spring security documentation goes way: 28.1.1 authorization server

unless want change authentication logic of spring security's oauth2 (not recommended) stuck.

from point of view there no problem. client id , password costs nothing , bring little bit more security application.


-

Comments

Post a Comment

Popular posts from this blog

amazon web services - S3 Pre-signed POST validate file type? -

i know it's possible put limit on file size content-length-range header. possible validate file type? https://docs.aws.amazon.com/amazons3/latest/dev/httppostforms.html#policyconditions i see there content-type header, if set say, audio/mp3 allow mp3 files , return error if file not mp3? i found previous question answers mention validating file size: s3 direct upload restricting file size , type you can specify content-type @ post request. you can specify @ signature, post must done content-type: { "expiration": "2007-12-01t12:00:00.000z", "conditions": [ {"acl": "public-read" }, {"bucket": "johnsmith" }, {"content-type: "audio/mp3"} ] } creating html form (using aws signature version 4) edit: @ previous question found, checking content-type.
Read more

c# - Check Keyboard Input Winforms -

i wondering if instead of doing this protected override void onkeydown(keyeventargs e) { if (e.keycode == keys.a) console.writeline("the key down."); } i set bool method , this: if(keydown(keys.a)) // whatever here i've been sitting here ages trying figure out how it. can't wrap head around it. in case wondering, plan call bool inside different method, check input. since want perform action after pressing key, using keydown event enough. but in cases suppose want check if specific key down in middle of process, can use getkeystate method way: [dllimport("user32.dll", charset = charset.auto, exactspelling = true)] public static extern short getkeystate(int keycode); public const int key_pressed = 0x8000; public static bool iskeydown(keys key) { return convert.toboolean(getkeystate((int)key) & key_pressed); } you should know, each time check key state using example iskeydown(keys.a) method returns true if ke...
Read more