Userless access

[igorsf]

Looking for some guidance. I am building Rest API where some of our endpoints don’t pertain to specific user information. Auth token is not required for these endpoints but I would still like for a consumer key's Client ID to be passed to the endpoint. Is there a grant type in OAuth that I should be using? or is this something to be done outside of OAuth manually in the controller.

[Dave Syer]

OAuth2 has a client_credentials grant type, but if you don't mind sending the client id with every request I would suggest that HTTP Basic is more straightforward. The advantage of using OAuth2 would be the token management (expiry, revocation), but if you don't need that, there's not much point.

[igorsf]

I'd like to try client_credentials but don't know how to specify one. In my applicationContext-security.xml the only supported grand types are "Grant types that are authorized for the client to use (comma-separated). Currently defined grant types include "authorization_code", "password", "assertion", and "refresh_token". Default value is "authorization_code,refresh_token".

I am using spring-oauth-version: 1.0.0.M3

[Dave Syer]

M5 was released quite a while ago, and there have been many changes (also to the spec, so the names are different). I would upgrade. Note that the OAuth2 support is in a separate jar file since M4.