I wonder whether it is possible to use the client side of Spring Security OAuth (2) as a Spring Security AuthenticationProvider. At the moment I'm working on a spring based web app which will serve as a client for a proprietary API that uses OAuth 2 Authentication. This web app is acting as a sort of trusted client that is allowed to do resource owner password authentication. I did a few test cases with Spring Security OAuth and basically the Resource Owner Password Authentication does work as expected. Now I wonder how to set up my web app to do form login against the ProtectedResourceDetails for the API.
I guess I need to write an authentication provider for this to work. This provider would basically use the OAuth2RestTemplate to call the API for user details. If this call would succeed then the provider would generate a simple spring security UsernamePasswordAuthenticationToken and the user would be "logged in". Is this workflow correct and/or doable?
What I'm failing to figure out is how do I set the resource owners credentials on the ProtectedResourceDetails? The Class ResourceOwnerPasswordResourceDetails does sport setters for username and password but is it correct to set them in the authentication provider code? What about threat safety? Is there a way to bind the OAuth2ProtectedResouceDetails bean to a single web request?