Jan 31st, 2013, 10:12 AM
oauth2 multiple realms
I'm wondering if what I'd like to do is possible or if maybe there is a some recommended way to accomplish somthing similar.
We currently have two realms (legacy):
- realm1 - large set of users with access to functionality that is more "public" - bascially the users of our site
- realm2 - small set of users with access to functionality that is more "private" - basically employees
We have a service tier (resource server) which is currently secured via oauth2. Authentication and authorization are currently done against realm1 and it's working fine. Spring oauth2 (OAuthRestTemplate) is currently only used for client code since the server side oauth2 wasn't ready for prime-time before we needed it. However on the server side we still use all Spring Security core. Basically we implemented a "lite" oauth2 on the server and want to replace it with Spring oauth2 server side code if possible.
We would like to add some more functionality to our service tier but really only want realm2 users to be able to access it. Ideally, at the service tier, we can continue to just use roles - spring security model. Somehow, the realm2 users would have the required roles, but the realm1 users would not.
So, my question: Is it possible / recommended to use spring oauth2 with multiple realms of users all accessing the same resource server endpoints?
My original thought was to (somehow) conditionally use the realm1 UserDetailsService or the realm2 UserDetailsService based on oauth client_id but based on looking at the Spring oauth2 code, I'm not sure this will be easy.
Feb 3rd, 2013, 08:31 AM
I don't think this is really a question for Spring OAuth - you should be able to achieve anything you need with regular Spring Security if I understand correctly (but maybe I don't). The only complication I foresee is if the same resources need to be made available to users in both realms, since that makes the responses hard to generate with complete confidence - maybe tat's what the per-client_id idea you had was?
Feb 13th, 2013, 08:34 AM
The "only complication" is really the main point of my question. At this point, I'm trying to stand up a proof-of-concept where I have two oauth authorization server endpoints. The one resource server then handles tokens from both authorization endpoints. The thought is that the two authorization servers will point to two different realms but store token information (via TokenStore derivative) in the same store. I'm having some issues with the oauth xml configuration because the parsing code uses constant bean names (Ex: AuthorizationServerBeanDefinitionParse.java always uses a bean named oauth2HandlerMapping ... probably because it assumes one oauth authorization server). So, I'll try to do the bean configuration by hand (not using oauth2 namespace.)
Feb 14th, 2013, 03:26 AM
That doesn't sound very mainstream. If you really need 2 sets of oauth endpoints in the same app why not put them in different servlets though (then they willbe configured in different XML files).
Tags for this Thread