We are trying to secure our application using Spring Security and OAuth2. The current theory is that users will authenticate with the resource server using the Implicit Grant flow so that they will only ever see a single login screen. However, in practice, this would also seem to imply that users can never authenticate with Spring Security since they would not be logged in when they try to access the "/oauth/authorize" endpoint. Am I understanding this correctly, please? In which case, how might users authenticate with our application via untrusted clients?
e.g. this command always triggers a Spring Security exception:
"User must be authenticated with Spring Security before authorization can be completed".
$ curl -X GET http://localhost:8080/myapp/oauth/authorize?response_type=token&client_id=myapp
The alternative might be to forbid untrusted clients, and then have trusted clients use the Resource Owner Password flow instead, but I would like to be sure I am understanding this correctly.
And I suppose an underlying question here is whether trying to use the Implicit Grant flow like this is a good idea in the first place.
Update: My XML configuration is currently based heavily on the Sparklr2 demo server. I've created a new <http/> section for the authorize endpoint:
This sort-of works, but also means that I need to add "-u myapp:mysecret" to my CURL command line in order to reach the login URL. And that can't be right.
<http pattern="/oauth/authorize" create-session="stateless"
<intercept-url pattern="/oauth/authorize" access="IS_AUTHENTICATED_ANONYMOUSLY" />
Oh dear, I am so confused...