From all the examples I've seen, it looks like the typical scenario in password flow is to always issue a token to an authenticated user and let subsequent requests to protected resources dictate whether the logged-in user is authorized to access them.
I have a slightly different use case. How can I set it up in password flow so that only authenticated users in a certain role (i.e., LDAP group) would be granted a token? All other users (whether unauthenticated or unauthorized) would receive an error message.
I will be supporting other flows (auth, client) so whatever solution posed here cannot override other flows. For example, a simple solution to my use case would be to change:
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
But then this would change the access pattern for non-password flows as well, which I don't want.
<intercept-url pattern="/oauth/token" access="(my specific role)" />
Is it possible to have separate <http> blocks pointing to the same URL for different flows?