Dec 5th, 2012, 12:06 AM
Optional client secret
The org.springframework.security.oauth2.provider.Clien tDetails class has a method called isSecretRequired(). I was assuming that this could be used to avoid having to require client secrets from public clients. However, I do not see this method being used anywhere in the framework. Where is this method meant to be used in the flow?
Dec 5th, 2012, 04:58 AM
I think it's a historical artifact. Feel free to use it if you want, but the framework doesn't need to particularly as things stand because it expects a standard BasicAuthenticationFilter to be adequate for most purposes.
Dec 5th, 2012, 01:24 PM
Thanks. Does that mean that the general expectation is to have all clients send in a client id and client secret irrespective of whether they are confidential or public clients?
I am trying to understand if requiring these from public clients gives them a false sense of security about their credentials being actually secret or secure.
Dec 6th, 2012, 01:42 AM
I don't really see what bearing a method in a server-side interface has on the behaviour of clients. By "public" clients do you mean those without secrets? If so then they would normally only be allowed to use the implicit grant type (which requires no client authentication). If they are allowed to use the token endpoint, then I suppose they are going to have to send an Authorization header, unless you provide a custom auth filter.
Dec 7th, 2012, 06:41 PM
By public clients I mean mobile applications, native applications etc. Unfortunately, its never clear what to do with these clients with OAuth. I guess I have to use the implicit grant type for these.
Dec 8th, 2012, 03:15 AM
You can use (e.g.) password grants if you like. You just have to send an empty secret (by default).
Dec 14th, 2012, 12:54 PM
Thanks, I think thats what I will do. I appreciate your replies.