Sep 17th, 2011, 06:48 AM
Spring OAuth 2.0 uses session
I'm using spring-OAuth 1.0.0.M3. I found that after first client request by a token, Spring creates a session for that client, and that way client can send request without any token thereafter. I think it can result some problems.
In addition, I prefer that resource owner could not call services that is provided only for oauth services. How can I prevent it?
Sep 17th, 2011, 09:27 AM
I don't think the client implementation in SECOAUTH sets cookie headers, so there is no way for it to access the session. I can see that maybe the framework should clean up such sessions if they are created, but I'm not sure that they are. If you think there is a problem with the framework, then a test case would be really useful.
A session is needed for the resource owner's browser access for the authorization flow, but the client doesn't need a session because it only accesses stateless endpoints (at least in the OAuth flow).
I didn't understand your second question. What is it that you need? How would a resource owner call a service?
Sep 18th, 2011, 01:39 AM
Thanks Dave for your attention.
let's describe the problem by a sample:
I use a browser for testing my OAuth server instead of spring OAuth client.
I take a token(for example "xxx"), then I call service /myservice?oauth_token=xxx
The server returns result. After first request I can call: /myservice
and it uses previous token! but It doesn't happen on other OAuth server like google.
another problem is that when resource owner logins to my server, he/she can call: /myservice
but I want only clients use my OAuth service.
Sep 19th, 2011, 08:21 AM
I see. If you use a browser to access your service then indeed a session will be created by default. Normal API clients would not store the cookie though, so it doesn't seem all that relevant. If you care about it raise a JIRA ticket because that endpoint is due for a big refactor soon, and we could potentially enforce the statelessness by default. I think Spring Security does allow you to switch off Session persistence of the current authentication - you could check the core Spring Security manual, or post in the main forum.
As far as protecting the access from non-API clients, Spring Security allows you to secure individual URLs, e.g. <intercept-url pattern="/myservice" access="SCOPE_READ_ONLY"/> would protect your service from clients that don't present an access token with scope="read_only".
N.B. the "oauth_token" request parameter is obsolete (now it is "access_token"). You should upgrade to 1.0.0.M4 at least as soon as possible.