Spring Security Oauth2资源所有者密码凭证授予 [英] Spring security Oauth2 Resource Owner Password Credentials Grant

问题描述

我刚刚在eclipse IDE中安装了spring security oauth2.试图实施的服务将由第二方用户通过已安装的应用程序使用，因此我选择使用密码授予类型.根据我对Oauth2的理解，以下请求应该适用于演示sparklr2服务，而无需我输入用户名和密码参数.即

Have just installed spring security oauth2 in my eclipse IDE. The service am trying to implement will be consumed by second party users through their installed applications hence i chose to use password grant type. As per my understanding of Oauth2 the following request should work for the demo sparklr2 service without the need of me encording the username and password parameters. i.e

POST http://localhost:8080/sparklr2/oauth/token?grant_type=password&client_id=my-trusted-client&scope=trust&username=marissa&password=koala

但是我不断得到

<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>

我是否在此请求中缺少某些内容，或者我需要在存储库中启用某些内容

am i missing something in this request or do i need to enable something in the repo

推荐答案

Spring OAuth2似乎不支持无秘密OAuth2客户端的密码授予类型.这可能符合OAuth2规范: http://tools.ietf.org/html/rfc6749#section-4.3.2 ，尽管该规范似乎表明并非总是需要客户端身份验证(对我而言这不是很清楚).

It seems like Spring OAuth2 doesn't support the password grant type for a secret-less OAuth2 client. This might be as per the OAuth2 spec: http://tools.ietf.org/html/rfc6749#section-4.3.2, although the spec seems to indicate that the client authentication is not always required (that's not very clear to me).

这意味着在使用密码授予类型调用令牌端点时，您需要传递客户端ID和密码(使用基本身份验证)，这也意味着如果客户端未提供密码授予，则无法使用密码授予有一个秘密(您仍然可以使用隐式流程).

That means that when calling the token endpoint using the password grant type, you need to pass in the client ID and secret (using basic auth), which also mean that you can't use the password grant if the client does not have a secret (you might still be able to use the implicit flow).

在sparklr2中，my-trusted-client没有定义秘密，这就是呼叫失败的原因.

In sparklr2, my-trusted-client does not have a secret defined which is why your call fails.

如果要查看实际的密码授予类型，可以尝试my-trusted-client-with-secret:

If you want to see the password grant type in action you can try my-trusted-client-with-secret:

curl -u my-trusted-client-with-secret:somesecret "http://localhost:8080/sparklr2/oauth/token?grant_type=password&username=marissa&password=koala"

这篇关于Spring Security Oauth2资源所有者密码凭证授予的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！