Hi,

I've setup a basic provider using monstly in memory services. This is all based on the configuration I got from tonr for oauth2 - and I am using the M3 version of spring oauth.

I think I got issues mapping the token urls.. also there are a couple of client auth elements I cannot answer right now:

- consumer key -> this is oauth:client clientId, right? so in below config "my-trusted-client-with-secret" for example
- consumer secret -> somesecret in the example below

- Authorization Method: GET or POST? I chose POST - is there a way to see this from the config below what a client should use here? Is there a predefined callback url parameter that needs to be used? Or can this be configured?
- Authorization URL: I thought this would be authorization-url="/oauth/authorize", just as defined in the oauth:provider - but somehow this does not work. When the client redirects the user to the url , I get thsi response:

{
error: "invalid_request"
error_description: "A verification code must be supplied."
}


To my understanding, a verification code must be supplied to the access token request...

-Access Token Type: I can choose Header and Query Parameter here... what is used rigth now, based on below config? How can I see that?
-Access Token URL: I am lost at this point. All I found was a way to configure the authorization URL. Any defaults here?


Below is the config! Thanx for your replies!

Sven


<http auto-config='true' access-denied-page="/login.jsp">
<intercept-url pattern="/rest/**" access="ROLE_USER" />
<intercept-url pattern="/request_token_authorized.jsp"
access="ROLE_USER" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

<form-login authentication-failure-url="/login.jsp"
default-target-url="/index.jsp" login-page="/login.jsp"
login-processing-url="/login.do" />
<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
</http>

<authentication-manager>
<authentication-provider>
<user-service>
<user name="xxx" password="xx" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="xx" password="xx" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>

<beans:bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token .InMemoryOAuth2ProviderTokenServices">
<beans:property name="supportRefreshToken" value="true" />
</beans:bean>

<oauth:provider client-details-service-ref="clientDetails"
token-services-ref="tokenServices" authorization-url="/oauth/authorize"><!-- authorization url is default -->
<oauth:verification-code user-approval-page="/oauth/confirm_access" />
</oauth:provider>

<oauth:client-details-service id="clientDetails">
<oauth:client clientId="my-trusted-client"
authorizedGrantTypes="password,authorization_code,refresh_token" />
<oauth:client clientId="my-trusted-client-with-secret"
authorizedGrantTypes="password,authorization_code,refresh_token"
secret="somesecret" />
<oauth:client clientId="my-less-trusted-client"
authorizedGrantTypes="authorization_code" />
<oauth:client clientId="tonr" authorizedGrantTypes="authorization_code" />
</oauth:client-details-service>

- consumer key -> this is oauth:client clientId, right? so in below config "my-trusted-client-with-secret" for example
- consumer secret -> somesecret in the example below

Yes and yes.



- Authorization Method: GET or POST? I chose POST - is there a way to see this from the config below what a client should use here?


It doesn't matter whether you choose GET or POST... the provider will pick up the parameter either way.



Is there a predefined callback url parameter that needs to be used? Or can this be configured?


You can't configure the pre-defined callback url from the namespace configuration, but it is supported if you want to use your own custom ClientDetailsService and return instances of ClientDetails that specify their own pre-defined callback url.



- Authorization URL: I thought this would be authorization-url="/oauth/authorize".


Actually it's the value of user-authorization-url (not authorization-url, which is the URL that the client gets tokens, etc.)



-Access Token Type: I can choose Header and Query Parameter here... what is used rigth now, based on below config? How can I see that?


Again, doesn't matter. The provider looks for both.



-Access Token URL: I am lost at this point. All I found was a way to configure the authorization URL. Any defaults here?


No defaults, you have to supply the URL to the endpoint that supplied the access token. I think you're talking about the value of the authorization-url parameter.

Hi stoicflame,

first thanx for your reply - really appreciate it.

I checked my config and still cannot figure out mainly the auth token and access token URL:

- you mention user-authorization-url: where does this attribute belong? The eclipse ide does not let me use the attribute on oauth:provider, so where does it go? And what exactly is this then? Will I have to create a controller and mapping to make that URL work and provide a login form here?

- so what is the authorize-url? you mention the url for the client to get tokens. But there are auth and access tokens, so would I not need two token urls?

Can you maybe help me to define the first call to the authorization server to ultimately get the authorization code back (via the callback)?

This is taken from the spec and modified to fit my example:

GET /oauth/authorize?response_type=code&client_id=my-trusted-client-with-secret&
redirect_uri=<encoded redirect uri> HTTP/1.1

So I guess the main question right now is where is user-authorization-url defined?

Thanx!
Sven

Let's take your config for example:


<oauth:provider
client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
user-authorization-url="/oauth/user/authorize"
authorization-url="/oauth/authorize">
<!-- authorization url is default -->
<oauth:verification-code user-approval-page="/oauth/confirm_access" />
</oauth:provider>

"user-authorization-url" is the url where the client will ask for an authorization code. (BTW, I think that attribute needs to be renamed.)

"user-approval-page" is the url where the client needs to redirect the user in order to authorize an authorization code.

"authorization-url" is the url where the client will ask for an access token to access the protected resources.

Let's take your config for example:


<oauth:provider
client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
user-authorization-url="/oauth/user/authorize"
authorization-url="/oauth/authorize">
<!-- authorization url is default -->
<oauth:verification-code user-approval-page="/oauth/confirm_access" />
</oauth:provider>

"user-approval-page" is the url where the client needs to redirect the user in order to authorize an authorization code.

"user-authorization-url" is the url where the user's approval of the verification code will be processed and the redirect to the client will happen. This is the URL to which the user approval form (on the user-approval-page) needs to submit.

"authorization-url" is the url where the client will ask for an access token to access the protected resources.

Ok, but the user-authorization-url parameter is not valid with the schema that I use.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">

Eclipse complains immediately once I try to use user-authorization-url... Is there an updated schema that I should use?

You're right.

I was looking at the code, but it's not in the schema. I've opened up a JIRA issue:

https://jira.springsource.org/browse/SECOAUTH-55