OAuth - Anonymous Authentication

[thedug]

I have been able to successfully generate a request token but I'm having trouble getting through authorization and on to generating an oauth token.

When I make a request into authorize, I'm noticing that the token is considered "authorized". I'm a bit confused why it would be doing this:

Code:

org.springframework.security.authentication.AnonymousAuthenticationToken@6faeba70: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffbcba8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: nwwhtqmrceg2eu08rvw7uust; Granted Authorities: ROLE_ANONYMOUS

These are my settings

Basic Auth for the api, which will change to OAuth once I get the access tokens

Code:

	<sec:http create-session="stateless" entry-point-ref="entryPoint">
		<sec:intercept-url pattern="/api/**" access="IS_AUTHENTICATED_FULLY" requires-channel="https"/>
		<sec:custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
		<sec:http-basic/>
		<sec:logout />
	</sec:http>

Provider Settings:

Code:

  <oauth:provider consumer-details-service-ref="vhConsumerDetailsService"
                  token-services-ref="vhOAuthProviderTokenServices"
                  verifier-services-ref="vhOAuthVerifierServices" 
                  nonce-services-ref="vhOAuthNonceServices"
                  
                  request-token-url="/oauth/request_token"
                  
                  authenticate-token-url="/oauth/authorize"
                  access-granted-url="/accessGranted"
                                    
                  access-token-url="/oauth/access_token"
                  require10a="false"/>

[thedug]

I should clarify the steps I've taken from the client side. Here's my workflow so far

1) send oauth headers with signature to /oauth/request_token and get a request token back
2) send a request token to /oauth/authorize and get treated as authorized because of the AnonymousAuthenticationToken store in the token

[Dave Syer]

The OAuth1 provider support does some quite extreme things to the security filter chain, including silently adding filters (OAuth2 has been refactored to not do this so it is more predictable, in my opinion). The anonymous filter is enabled by default so my guess is that you could just disable it (<anonymous enabled="false"/>) and you would no longer get anonymous tokens. Or if you need anonymous access for other reasons, explicitly add the oauth endpoint URLs as secure patterns (like in the sparklr sample). I'm guessing here because I'm not using the OAuth 1 features much.

[thedug]

Yeah.. I'm slowly picking up on that stuff.

I thought the OAuth 2 spec was never full adopted? Isn't it totally different protocol with regards to tokens/handshakes etc?

Anyway, with OAuth 1 I did turn of Anonymous Auth and now things work as I would expect them, however I'm curious how this would even work. When I make a request to /oauth/authorize and I'm not logged in it should redirect to the "user-approval-url" and this page would require login and thus redirect to the login page. With all this redirecting, how does the reqestToken not get lost? Isn't the end goal to send the user back through /oauth/authorize with the request token whiled authenticated so that the request can be approved.

[Dave Syer]

Yes, OAuth 2 is different. No, it is not in any way officially unadopted (that I know of), in fact it is pretty common these days and OAuth 1.0a is looking like a legacy spec (my opinion).

The answer to your other question is that the requestToken is stored in between requests. Spring Security has a strategy interface for the things it stores natively (SecurityContextRepository), Spring MVC has a SessionAttributeStore, and Spring Security OAuth adds some more, for storing data with different validity periods than the session in general (although not always). The OAuth 1.0a provider uses OAuthProviderTokenServices, for instance.

[thedug]

I've seen the TokenServices and that is kind of the crux of my confusion. If order to use the token service you need the token value to lookup all the pertinent information.

If you send a request to oauth/authorize and your aren't logged in then you are going to get bounce to the loggin page and your "requestToken" parameter is going to get lost. This is especially compounded when you are bouncing from one load balancer to the next.