bug in resource owner password credentials flow?

[jrod]

Using a similar setup to my implicit flow forum post, I encounter the following error with "password" flow:

Code:

error="access_denied", error_description="Unable to obtain a new access token for resource 'rs'. The provider manager is not configured to support it."

My resource config:

Code:

<oauth:resource id="rs" type="password" client-id="client3" client-secret="${secret}" access-token-uri="${accessTokenUri}" scope="read" />

The error is thrown after iterating over the AccessTokenProvider chain and not finding one that supports the instance of OAuth2ProtectedResourceDetails passed to AccessTokenProviderChain.obtainNewAccessTokenInter nal

Code:

	protected OAuth2AccessToken obtainNewAccessTokenInternal(OAuth2ProtectedResourceDetails details,
			AccessTokenRequest request) throws UserRedirectRequiredException, AccessDeniedException {

                ...
		for (AccessTokenProvider tokenProvider : chain) {
			if (tokenProvider.supportsResource(details)) {
				return tokenProvider.obtainAccessToken(details, request);
			}
                }
		throw new OAuth2AccessDeniedException("Unable to obtain a new access token for resource '" + details.getId() + "'. The provider manager is not configured to support it.", details);

Code:

public class ResourceOwnerPasswordAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {

	public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
		return resource instanceof ResourceOwnerPasswordResourceDetails && "password".equals(resource.getGrantType());
	}

Looking into it further, "details" is an instance of BaseOAuth2ProtectedResourceDetails, NOT ResourceOwnerPasswordResourceDetails, so supportsResource() returns false. How can this be?

Code:

public class ResourceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {

	@Override
	protected Class<?> getBeanClass(Element element) {
		if ("authorization_code".equals(element.getAttribute("type"))) {
			return AuthorizationCodeResourceDetails.class;
		}
		if ("implicit".equals(element.getAttribute("type"))) {
			return ImplicitResourceDetails.class;
		}
		if ("client_credentials".equals(element.getAttribute("type"))) {
			return ClientCredentialsResourceDetails.class;
		}
		return BaseOAuth2ProtectedResourceDetails.class;
	}

Adding another if-clause for ResourceOwnerPasswordResourceDetails should fix the problem. Am I missing something or shall I file a JIRA request?

[Dave Syer]

Makes sense, although I don't see much value in <oauth:resource/> for password grants. Can you raise a JIRA ticket, and send a pull request following the process in the README if you feel like it?

[jrod]

Makes sense, although I don't see much value in <oauth:resource/> for password grants.

OK, so what's the preferred way for password grants?

[Dave Syer]

I guess you would create the ResourceOwnerPasswordResourceDetails as needed and feed them into an OAuth2RestTemplate. If you used the XML config you would have a single resource owner per application context, which isn't completely outrageous, but you would need to have the plain text password stored in the clear somewhere to make it work, so not very useful in most (enterprise) apps. I only use it for testing.

[jrod]

Ah ok, I see what you're suggesting. That would work as a POC, but, as you state, not in an enterprise context. Any recommendations on a good OAuth2 framework for iOS?

[Dave Syer]

I don't really know anything about iOS. You could try on the Spring Social or Spring Mobile forum.