Results 1 to 4 of 4

Thread: autoApproveClients doesn't seam to work

  1. May 25th, 2012, 03:10 AM #1
    adrian.hoehn
    adrian.hoehn is offline Junior Member
    Join Date
    Mar 2011
    Posts
    28

    Default autoApproveClients doesn't seam to work

    I'm trying to auto approve my clients after a successful login. But I always get redirected to localhost:8080/myapp/oauth/confirm_access instead to the configured and committed redirect url.

    The request is:
    http://localhost:8080/myapp/oauth/au...%2Fapp onizer (It comes from my spring social provider integration on client side, redirect url is configured on oauth server for this client)

    Code:
    <bean id="userApprovalHandler" class="ch.myapp.be.security.MyAppUserApprovalHandler">
		<property name="autoApproveClients">
			<set>
				<value>my-trusted-client-with-secret</value>
			</set>
		</property>
		<property name="tokenServices" ref="tokenServices" />
	</bean>
    The implementation of MyAppUserApprovalHandler is a copy from SparklrUserApprovalHandler.

    In fact the following code in MyAppUserApprovalHandler resolves to false:
    Code:
    authorizationRequest.getResponseTypes().contains("token")
    How can I get this "token"? Is this a Client or Server configuration thing? Because I don't understand the bigger meaning: Is this a security hole if I add autoapprove? My understanding was I that the user don't have to approve again for certain resources to access them but still has to authorize himselfe.

    Problem occurs under: spring-security-oauth2-1.0.0.M6c
    Last edited by adrian.hoehn; May 25th, 2012 at 03:48 AM.
    Reply With Quote Reply With Quote
  2. May 25th, 2012, 04:45 AM #2
    adrian.hoehn
    adrian.hoehn is offline Junior Member
    Join Date
    Mar 2011
    Posts
    28

    Default

    According to http://forum.springsource.org/showth...ghlight=social I've changed my spring-social implementation to OAuth2Version.BEARER; but with no effect.

    The authorizationRequest.getResponseTypes() is still "code". Should the MyAppUserApprovalHandler chaged to this?
    Does there an example of spring-security-oauth & spring-social exist somewhere?
    Reply With Quote Reply With Quote
  3. May 25th, 2012, 06:13 AM #3
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,232

    Default

    The response_type parameter is part of the OAuth2 protocol, and if your client is a webapp then "code" is the right value. You should just be able to write your own UserApprovalHandler that ignores it. Why don't you do that?

    Craig Walls has some sample apps that use Social and Spring Security OAuth2 - maybe you can ask him directly or on the Social forum. It seems like your use case wouldn't be a typical one though (auto-approval is not very common, that's why it's a special strategy in sparklr2).
    Reply With Quote Reply With Quote
  4. May 25th, 2012, 06:33 AM #4
    adrian.hoehn
    adrian.hoehn is offline Junior Member
    Join Date
    Mar 2011
    Posts
    28

    Default

    Thanks Dave

    I just wasn't shure if I can ignore it. Thanks for the hint with "Craig Walls", I'll aks him.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules