Using the new OAuth2RestTemplate

[rherrick]

I'm basing my take on this on your comments here, Dave. If I understand you correctly, I should be able to just make that series of calls and be able to access OAuth2-protected resources directly through the OAuth2RestTemplate. Is that correct?

What I'm trying to do at the moment is create a command-line tool that accesses the sparklr2 auth/resource provider to download the pictures for a particular user. This comes very close to the functionality I need to be able to implement in my own project, where we need to be able to provide access to the server for a variety of spawned processes without passing usernames and passwords all over the place.

So I have this:

Code:

OAuth2ProtectedResourceDetails resource = new ClientCredentialsResourceDetails();
DefaultAccessTokenRequest accessTokenRequest = new DefaultAccessTokenRequest();
OAuth2ClientContext context = new DefaultOAuth2ClientContext(accessTokenRequest);
OAuth2RestTemplate template = new OAuth2RestTemplate(resource, context);
ResponseEntity<String> value = template.getForEntity("http://localhost:8080/sparklr2/photos?format=xml", String.class);
System.out.println(value.toString());

The problem is that I don't see where I'd set the credentials, i.e. the user name and password. And I'm also thinking... that looks too simple I mean, I'd love it if this is all I need to do, but am I missing anything?

[rherrick]

To elaborate a little bit, here's what I'm trying to accomplish.

Currently we spawn pipeline processes for back-end processing of the data contained in our server (we manage enormous quantities of medical imaging data for research projects, so there's a lot of post-processing and analysis of the data). Right now we're calling a bash shell script that launches a Java app that drives a pipeline engine. In order for this to call back to the server, we pass the user's name and password as script parameters. For obvious reasons, we want to do away with that requirement.

What I'd like to do instead is create an OAuth token on the server side and pass that to the shell script instead of the username an password. The script would just pass that onto the Java app, which would use the token data to create an AccessTokenRequest that would let it call back to the server. After that, all calls to the server would just use the OAuth2RestTemplate and magic happens.

Does this sound reasonable and/or do-able? For passing the token data on the script invokation, I'm guessing I need the code and state from the token, but maybe that's incorrect.

Any help I can get on getting this working would be greatly appreciated. I'd be happy to both document the process and contribute my sample application accessing sparklr2 back to the oauth codebase as well.

[Dave Syer]

I think you just need to create an OAuth2RestTemplate with an OAuth2ClientContext containing the access token. I suppose we could add a convenience constructor so you don't have to create the OAuth2ClientContext?

[rherrick]

I think you just need to create an OAuth2RestTemplate with an OAuth2ClientContext containing the access token. I suppose we could add a convenience constructor so you don't have to create the OAuth2ClientContext?

I've been trying to chip away at this on my own, but haven't really made a lot (well, any ) progress. Here are the things I've done in the meantime.

First I tried using the code in my initial post. I tried setting parameters for the username and password on the token request, but couldn't get that going. My best guess was that the ClientCredentialsResourceDetails class would let you hit the resource by validating using client credentials, i.e. username and password, but I'm not really sure. Anyway, I never got anywhere with this. Is there a way to set username and password on the token request and have the code in my initial example work?

Or (even better, long term) is there a way to generate the state and code for an access token request on the provider side and pass that to the client, then have the client pass that back to the provider to generate an access token? I'd like to use that so that the server can call the client, just passing the limited use state and code to the client, allowing the client to validate for the duration of that processing job...

So anyway, I couldn't get that to work and decided to go to a more Spring-y configuration model. The problem here is that the oauth namespace seems to be hard-wired to the servlet context. At least, I think that's what's happening. There are really only a couple of OAuth things in the servlet context for the tonr2 application (I'm ignoring non-Sparklr things, e.g. the Facebook integration and the trusted client REST template):

[ul][li]The sparklrRestTemplate, which is wired to the sparklr resource.[/li]
[li]The sparklr OAuth resource.[/li]
[li]The oauth2ClientFilter client.[/li][/ul]

It's that last one that seems to be causing the trouble for me in this context. The oauth2ClientFilter is mapped into the authentication filter chain up in the <http> configuration. I'm rolling a command-line app here, so I left off the <http> configuration. When I do that, I get Caused by: java.lang.NoClassDefFoundError: javax/servlet/Filter. No surprise, I'm not in a servlet container. So I leave out the oauth2ClientFilter configuration and get this:

Code:

Exception in thread "main" java.lang.IllegalStateException: No Scope registered for scope 'session'

I'm guessing that's relating to the servlet session, but I'm not sure.

So I guess I'm wondering, am I going in the right direction with either of these efforts? The documentation seems pretty clear that the namespace stuff is pretty tightly tied into the servlet model, so I think I may be wasting my time trying to get that working. But there really isn't any class-level documentation at this point, so it's hard to follow the full execution chain required to get everything strapped on programmatically.

Just for fun, I've attached my (very simple) code that I'm trying to use just to get the list of photos hosted in sparklr2. My goal there is to get an OAuth2RestTemplate initialized based on username and password and/or state and code to allow that thing to pull the request from the provider.

[Dave Syer]

You can't use <oauth:rest-template/> in a non-web application. I'm not sure what you mean by username and password. You have a client_credentials resource, so it is not authenticating as a user at all. I'm not sure the namespace is set up to create ResourceOwnerPasswordResourceDetails (that's what you said before) because it doesn't make a lot of sense to use it as a singleton. You can create your own though, if you really want to use password grant type.

If you create your own OAuth2RestTemplate from a ResourceOwnerPasswordResourceDetails initialized with the right client details and an empty OAuth2ClientContext it should work. I don't see a lot of mileage for password grants in an app created this way, but you might find it useful. The new test framework relies on it (see e.g. TestResourceOwnerPasswordProvider.testTokenObtaine dWithHeaderAuthentication from spaklr2).