Jan 15th, 2012, 02:55 AM
Looking for some guidance. I am building Rest API where some of our endpoints donít pertain to specific user information. Auth token is not required for these endpoints but I would still like for a consumer key's Client ID to be passed to the endpoint. Is there a grant type in OAuth that I should be using? or is this something to be done outside of OAuth manually in the controller.
Jan 15th, 2012, 05:21 AM
OAuth2 has a client_credentials grant type, but if you don't mind sending the client id with every request I would suggest that HTTP Basic is more straightforward. The advantage of using OAuth2 would be the token management (expiry, revocation), but if you don't need that, there's not much point.
Jan 15th, 2012, 12:26 PM
I'd like to try client_credentials but don't know how to specify one. In my applicationContext-security.xml the only supported grand types are "Grant types that are authorized for the client to use (comma-separated). Currently defined grant types include "authorization_code", "password", "assertion", and "refresh_token". Default value is "authorization_code,refresh_token".
I am using spring-oauth-version: 1.0.0.M3
Jan 16th, 2012, 02:33 AM
M5 was released quite a while ago, and there have been many changes (also to the spec, so the names are different). I would upgrade. Note that the OAuth2 support is in a separate jar file since M4.