Jan 20th, 2011, 01:26 PM
Oauth with Anonymous User
The requirement is that the client application has :
- No username/pass
- Each user who comes to the app will end up with a new session and hence should be able to do the oauth handshake based on their credentials with the provider app.
The above doesn't work because once user A with session A does the is authorized to use the resources, then user B with session B is also getting authorized automatically.
Digging into the code specifically InMemoryOAuth2ClientTokenServices on the client side we find that the token keys are specific to the user. Since both user A and user B are anonymous users then they have the same principal name which is "anonymousUser" because that's the default user spring security creates.
I was thinking that I could implement my own OAuth2ClientTokenServices and have the keys be "anonymousUser" + sessionId.
Will be getting the sessionId from ((WebAuthenticationDetails) authentication.getDetails()).getSessionId();
Is this a good solution? Is there a better way to do this ?
Jan 20th, 2011, 07:42 PM
Your proposed solution seems reasonable. The TokenServices is the right place to handle the user-to-token mapping.