User agent flow in Spring Security Oauth2 1.0.0.M3

[bouiaw]

Hi,

Does the Spring Security Oauth2 1.0.0.M3 is ready out of the box for user agent flow (my use case is a Javascript based RIA web application requesting REST webservices) described in "4.2 Implicit Grant" paragraph of Oauth2 specification ?

If it is, could you give me some hints about how configure it for this use case ?
If not, could you give me some hints about what are the missing parts to be compatible with this use case.

The context is that we implemented our own Oauth2 protocol in Java (https://bitbucket.org/ilabs/resthub/...esthub-oauth2/) at a time when Spring Security Oauth2 did not exist.

We would like to see if we can switch to Spring Security implementation and eventually contribute some improvements.

Thanks in advance for your feedback.

[stoicflame]

Hi.

User Agent flow is not supported yet, but we'd love some help if you'd like to contribute.

We just had a contributor add support for the client credentials flow. He submitted a JIRA issue:

https://jira.springsource.org/browse/SECOAUTH-40

with a patch, which resulted in the following commits:

http://git.springsource.org/spring-s...64fc788c4593d1
http://git.springsource.org/spring-s...2d124a113592f8

So take a look at those and that should give you a good idea of how to submit a new flow.

If you'd rather just submit a merge request, that would work well, too.

[Marcin22]

Thank you, that was helpful. No I know how to submit a new flow.
--------------------
konkursy z nagrodami

[bouiaw]

Hi,

I have begin to use Spring Security OAuth2 with a password grant type before working on user agent one.

I am not very far to make it works, my last issue is that, since I request oauth authorize end point with Ajax request, i would like to avoid using <form-login> element in <http> because it return a login form html code, not really what I want. For example, when login failed I would like OAuth to return directly a 403 HTTP error code.

When I don't define form-login, I have the follwing error : Configuration problem: No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute.

I have found a class which implements AuthenticationEntryPoint in Oauth1, but not in OAuth2 package.

Could you help me to find what I should set as entry-point-ref attribute for my Oauth2 configuration ?

Is access-denied-handler the right way to configure Spring Securty to return a 403 error code when login failed, or should I define some custom elements in oauth2rovider ?

My configuration is the following :

Code:

<security:http>
		<security:intercept-url pattern="/api/**" access="ROLE_AUTH" />
		<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<security:access-denied-handler ref="oauth2AccessDeniedHandler" />
	</security:http> 
	
	<bean id="oauth2AccessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"/>	
	<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices" />

	<oauth2:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices" >
		<oauth2:verification-code disabled="true"/>
	</oauth2:provider>
		
	<oauth2:client-details-service id="clientDetails" >
		<oauth2:client clientId="booking" authorizedGrantTypes="password" />
	</oauth2:client-details-service>
	
	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider user-service-ref="bookingUserDetailsService" />
	</security:authentication-manager>

Thanks in advance for your help.

[bouiaw]

I succeeded by creating a OAuth2ProcessingFilterEntryPoint (copy of OAuth2ProcessingFilterEntryPoint with OAuth2 header instead OAuth) and configuring it in http element.

[stoicflame]

I think the intent was that developers could just supply their own instance of AuthenticationEntryPoint and wire it up accordingly.

I'm open to creating a different one and adding it to the project, though. Do you think an alternate implementation is of general usefulness or should we just suggest that developers write their own according to their needs?