Apr 17th, 2013, 07:00 AM
Validate token request
Does oauth2RestTemplate or access token providers support validate token request?
Is validation request part of the OAuth2 standard?
Here is the flow:
1. Mobile/Web-App authenticated from third party Authentication server and obtains Access-Token.
2. User tries to access a secured resources, and passed the Access-Token in the request, as expected by the protocol.
Is it possible to check this token against third-party server?
Last edited by akorotenko; Apr 18th, 2013 at 07:18 AM.
Apr 19th, 2013, 03:07 AM
Access tokens are supposed to be checked by the resource server, and the means for doing that are not discussed in any detail in the spec, so you are free to do it however you want (but the auth server is going to dictate how you do it so if that's a 3rd party you'd better read their documentation). I'm not sure why you would want to do it in the client, but maybe you have some special requirement? Depending on the auth server it may or may not allow you to check the token contents clietnside.
Apr 19th, 2013, 04:24 AM
Mobile/Web-App can get Access-Token directly from third party auth server, and then send it to our application server. But our application server can only check this token against local (distributed) cache or DB... and of course it will be new iteration of Access-Token obtaining (third party login page -> auth code -> Access-Token). Would be great just ask third party - "Hey, is it your?", "Still not expired?"
As I understand it's quite common problem and still not covered by OAuth2 standard. Sadness, grief...
... or try to use Refresh-Token approach...
My goal - write application server which will authenticate the users against default (mine) and others third-party auth servers... different applications have own application keys linked to concrete auth server... would be great to use one OAuth2 algorithm for everything
Apr 19th, 2013, 05:45 AM
I don't quite understand your use case, but I still doubt that it's really the client's responsibility to check the tokens. Most oauth providers would give you a way to check some basic details about the authenticated user (e.g. facebook has a /me endpoint), but they won't usually provide token decoding services to Joe Public for security reasons. Since your use case seems (?) to be mainly about authentication, maybe the /me or /user_info style endpoints are all you need anyway? Maybe OAuth2ClientAuthenticationProcessingFilter (from Spring OAuth) would help you?