OAuth2 with password grant type

[hansamann]

We've got Oauth2 with the Spring Securitity Oauth2 module running with the authorization_code and refresh_token. We'd now like to extend this to the password grant type. We've pretty much the sample sparkl setup:

<oauth:client client-id="mobile_android" resource-ids="sparklr" authorized-grant-types="authorization_code,refresh_token,password"
authorities="ROLE_CLIENT" secret="secret" redirect-uri="http://localhost:8080/oauth2_callback"/>


the token endpoint is defined like this:

<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

Our request that we make with the user's username and password as parameters (as well as client_id and client_secret) is this (groovy google app engien code, but I guess it should be clear):


URL tokenURL = "http://localhost:9001/rest/oauth/token".toURL()

HTTPResponse res = tokenURL.post(deadline: 30, payload:"client_id=${client_id}&client_secret=${cl ient_secret}&grant_type=password&username=demo&pas sword=1234".getBytes()

Unfortunately the response is:
{"error":"invalid_grant","error_description":"B ad credentials"}

I've tried combining this with Basic Authentication, in this case I passed the client_id:client_secret in the Authorizaton Basic-Header, but that also did not work.

Does anyone spot the problem? It might also simply be an issue in the client request, but according to the Oauth2 docs that we have, this should work.

Thx!
Sven

[Dave Syer]

I can't immediately see the problem, but then I can't verify your credentials. The server should be logging its decision, so there ought to be more information there (you might have to increase the log level to DEBUG). Also, note that the older releases were often rather terse or imprecise about error reports, and it has improved a lot recently, so you might want to try a recent snapshot.

[hansamann]

Thx Dave,

I've turned on logging now, it seems an issue in the ResourceOwnerPasswordTokenGranter - could it be that this one is not using our own userDetailsService?

We've this setup which seems to pick the right userdetailsservice for the server-side flow:

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<security:authentication-provider ref="coreAuthenticationProvider"/>
<!-- <authentication-provider >
<user-service>
<user name="marissa" password="koala" authorities="ROLE_USER" />
<user name="paul" password="emu" authorities="ROLE_USER" />
</user-service>
</authentication-provider>-->
</authentication-manager>

<bean id="coreAuthenticationProvider" class="de.hybris.platform.spring.security.CoreAuth enticationProvider">
<property name="userDetailsService" ref="coreUserDetailsService" />
</bean>

<bean id="coreUserDetailsService" class="de.hybris.platform.spring.security.CoreUser DetailsService" />

Any other guesses?

[hansamann]

I started debugging this and the problem seems to arise in the ResourceOwnerPasswordTokenGranter.

The source code here is this:
Line 50
@Override
protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken) {

Map<String, String> parameters = clientToken.getParameters();
String username = parameters.get("username");
String password = parameters.get("password");

Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
try {
userAuth = authenticationManager.authenticate(userAuth);
}

Username and Password cannot be read, I see that the variables are null. What could be the reason for that?

[hansamann]

k, I am in the AbstractTokenGranter

Line 53
AuthorizationRequest clientToken = authorizationRequestFactory.createAuthorizationReq uest(parameters, clientId, grantType, scopes);

the Paramters that go into the createAuthorizationRequest method have username and password in it, but the clientToken that comes out does only have scope, redirect_uri, state and client_id - no username and password.

I guess that is the reason.

Does that help -is it a bug? I am using a fairly recent version of the oauth2 module, built from source just a few days (Tuesday, May29) ago...

[hansamann]

In the DefaultAuthorizationRequestFactory, the createAuthorizationRequest method is used. It takes the parameters, at that point with the username and password, but never uses them. The resulting AuthrorizationRequest cannot contain the username and password.

I guess simply switchign to the other constructor, the one that tkaes the parameters would work. Could that be?

[Dave Syer]

There was a bug there but IIRC it was fixed last week (I see heavy revisions on Friday). Can you update your source and rebuild? Look at the DefaultAuthorizationRequestFactory that you are using and make sure it is passing on all the parameters. There are integration tests for this and they pass last time I looked.

[hansamann]

I see the issue seems fixed on github:
https://github.com/SpringSource/spri...stFactory.java

parameters now passed.

I'll checkout again and build, will let you know if it works.

Thx!
Sven

[hansamann]

works. I verified three flows now: server-side, client-side and resource owner password flow.

thx!
Sven