Results 1 to 2 of 2

Thread: Validation of resource request

  1. Feb 20th, 2013, 10:50 AM #1
    samuel_coutinho
    samuel_coutinho is offline Junior Member
    Join Date
    Feb 2013
    Posts
    22

    Default Validation of resource request

    The OAuth 2 spec states that
    The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.
    So within the Spring OAuth lib is this performed by the TokenServicesUserApprovalHandler? What is the default behavior if I don't supply my own?
    Reply With Quote Reply With Quote
  2. Feb 21st, 2013, 03:02 AM #2
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,231

    Default

    Quote Originally Posted by samuel_coutinho View Post
    So within the Spring OAuth lib is this performed by the TokenServicesUserApprovalHandler?
    Not really. That's used when a token is granted. The OAuth2AuthenticationProcessingFilter and it's authentication manager process an incoming request, and they check for a resource id if there is one. They delegate token hydration to the ResourceServerTokenServices, and if you use DefaultTokenServices then it will check for expiry. None of these components know anything about scope since that is business content, so you have to specify access rules in your filter configuration (e.g. using a ScopeVoter as in the sparklr sample).
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules