supporting oauth2 client password

[arikg]

Hi,
I'm working on the app.net api integration and it supports "client password" login for client tokens as explained in the oauth 2 spec sectoin 2.3.1.

Is there currently some hook I'm missing to do this or do I need to add this in my implementation of the ServiceProvider or something like that?

Thanks,
Arik.

[habuma]

Neither client password nor resource owner credentials grant (ROCG) are directly supported by Spring Social (yet). But they are relatively easy to perform with a simple RestTemplate, since they only involve a REST call to the token endpoint with a half-dozen or so parameters.

The latest snapshot build have support for ROCG at the OAuth2Template level, but it is not yet supported at the connection framework level for purposes of creating a connection from the obtained access token. That is on my radar, but just is a few notches lower in priority than some other stuff, so I've not done it yet.

As for client credentials grant, it doesn't make as much sense to support it in the connection framework, as connections represent a 3-way relationship between a user, an API provider, and a client...but client credentials grant produces an access token that represents a 2-way relationship between an API provider and a client (no user involved). So, although it would make sense to support it at the OAuth2Template level, I don't see a need for it at the connection framework level. That is, unless you can make a compelling case for it.

[arikg]

I agree completely.
There is no need for ConnectionProvider support but it should exist on an OAuth2Template level accessible from the ServiceProvider for easy integration.

[arikg]

I do want it implemented so I will probably just do it and send a pull request.
It shouldn't be that hard, the plan is to add
OAuth2Operations:
AccessGrant authenticateClient(String scope);

Will support useParametersForClientAuthentication within it.

add the tests and stuff...

[habuma]

Yeah, that'd be awesome. It's not that hard to implement and wouldn't be dramatically different from what I already do for ROCG (just without the user credentials). I was going to do it, but I'd also welcome a pull request. If you've not already done so, I'm required to ask you to complete https://support.springsource.com/spr...mmitter_signup for contributions so that the legal folks are happy.

And yes...please include tests. :-)

[arikg]

yeah, I saw the ROCG implementation and followed it.
Now registered for contributions.
Expect the pull request soon enough...

[arikg]

pull request done - feedback appreciated.

[habuma]

Thanks! I'll have a look (probably tomorrow) and let you know.

[habuma]

FYI: Just merged your pull request. I had to do a bit of code formatting to get it to match our code style, but other than that it looked good.

[arikg]

That's great.
thanx.