Spring Security OAuth 1.0.0.M6 released

[Dave Syer]

As some users have already noticed, 1.0.0.M6 was released yesterday. There's been quite a lot of progress since M5 and the core spec is pretty stable now. Since many people (myself included) are using milestones in real projects it seems like a good idea to push out another. Feedback greatly welcome, and thank you to all the people who have contributed comments here, in JIRA or actual code in github.

In summary the framework has been significantly battle hardened, and we have quite a few interesting new features in this release:

* support for alternate format responses (XML and JSON)
* an implicit grant JavaScript client demo (tonr2/browse.html)
* automatic approval for tokens that are already granted

The generated release notes for M6 are here: https://jira.springsource.org/secure...&version=11868.

[shahbazi]

I noticed that the TokenEndpoint has changed and /oauth/token requires that client needs authenticate in order to call this endpoint.
Now, I am wondering how the grant_type of password or client_credentials will work with this endpoint
For example the html5expense's controller.js (https: //github.com/SpringSource/html5expense/blob/master/client/shared/www/controller.js http://bit.ly/x6mBkL) used to post the client_id, client_secret and user's credential to the Authentication Server's /oauth/token endpoint; now with this new release (M6) this approach will not work any more! What is the best way to get the access token for grant_type of password or client_credentials?

[Dave Syer]

The default in M6 is to require header authentication. If you need to use form-based client authentication you can add a ClientCredentialsTokenEndpointFilter to your Authorization Server. This is (or was) mentioned as an option in the spec but is not recommended, which is why it is not enabled by default. Note that the sparklr2 sample has this filter enabled if you want to see how it is done.

[shahbazi]

Thanks Dave
This helped to resolve the problem.
I know the password (client_credentials) is not the recommended solution (even FB doesn't support the password grant type). But we are using the password for mobile authentication and client_credentials for SOA Security (between services) internally.
One side note, I wish the sparklr2 and tonr2 were using api, client, authorization model similar to https://gist.github.com/1316904
currently the sparklr2 is acting as api (resource server) and the authorization server and some this is confusing! IMHO

[ericacm]

I found this thread via StackOverflow and I just want to say that I'm excited that SS OAuth now supports SS 3.1. I am looking forward to upgrading.

Great work guys!

[rahul_kj]

Are there any reference implementation documents for using the latest Spring Security OAuth 1.0.0.M6?

[pulapura]

A reference implementation is available in their tutorial at https://github.com/SpringSource/spri.../wiki/tutorial which I believe is based off the latest codebase.