是否可以在没有客户端密码的情况下从Spring OAuth2服务器获取access_token? [英] Is it possible to get an access_token from Spring OAuth2 server without client secret?

问题描述

我正在使用Spring Security的OAuth2服务器实现.我试图通过使用OAuth2密码"授予类型从服务器的/oauth/token端点获取access_token，方法是仅提供用户名和密码以及没有客户端机密的客户端ID. 只要我在HTTP请求的Authorization标头中提供客户端ID和客户端机密，这样就可以正常工作:

I am using Spring Security's OAuth2 server implementation. I am trying to get the access_token from the servers' /oauth/token endpoint using the OAuth2 "Password" grant type by only supplying username and password and the client id without the client secret. This works fine as long as I provide the client id and the client secret in the Authorization header of my HTTP request like so:

curl -u clientid:clientsecret http://myhost ... -d "grant_type=password&username=user&password=pw&client_id=OAUTH_CLIENT"

按照此处的建议进行操作: Spring OAuth2对TokenEndpoint禁用HTTP基本身份验证，我设法禁用了/auth/token端点的HTTP Basic身份验证.但是，当我尝试通过cURL获取access_token时:

Following the advice here: Spring OAuth2 disable HTTP Basic Auth for TokenEndpoint, I managed to disable HTTP Basic authentication for the /auth/token endpoint. But when I tried to get the access_token via cURL like so:

curl http://myhost ... -d "grant_type=password&username=user&password=pw&client_id=OAUTH_CLIENT"

我得到了BadCredentialsException并且可以看到以下消息:

I got a BadCredentialsException and could see the message:

身份验证失败:密码与存储的值不匹配

Authentication failed: password does not match stored value

在我的服务器日志中.在这一点上，我有点恼火，因为据我了解，该消息仅在用户名和/或密码有问题而不是客户端ID和/或密码有问题时才会显示.像这样在cURL命令中另外提供了客户端机密之后:

in my servers' log. At this point I was slightly irritated, because it was my understanding that this message only shows up when there's something wrong with the username and/or password, not the client id and/or secret. After additionally supplying the client secret in the cURL command like so:

 curl http://myhost ... -d "grant_type=password&username=user&password=pw&client_id=OAUTH_CLIENT&client_secret=SECRET"

一切都很好.

那么这是否意味着我必须以一种或另一种方式提供客户端密码才能访问/auth/token端点?

So does that mean I have to supply the client secret one way or another to access the /auth/token endpoint?

PS:我知道一个事实，关于安全性，通过HTTP Basic身份验证来保护此终结点通常是一个好主意，但是在某些用例中，人们宁愿不用它.

PS: I am aware of the fact that regarding security it is generally a good idea to protect this endpoint via HTTP Basic authentication, but there are some use cases where one would rather be able to do without.

我似乎已经找到一种忽略客户机密的方法.这是我的OAuth2服务器配置(请注意对allowFormAuthenticationForClients()和autoApprove(true)的调用):

I seem to have found a way to omit the client secret. Here's my OAuth2 server configuration (notice the calls to allowFormAuthenticationForClients() and autoApprove(true)):

@Configuration
@EnableAuthorizationServer
class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    private final AuthenticationManager authenticationManager;

    public OAuth2Config(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(this.authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauth) throws Exception {
        // allows access of /auth/token endpoint without HTTP Basic authentication
        oauth.allowFormAuthenticationForClients();  
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
        .inMemory()
        .withClient("acme")
        .autoApprove(true) // <- allows for client id only
        .authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid");
    }

}

编辑II:

此处的问题: Spring安全性OAuth 2.0-授权代码授予始终需要的客户机密与此密切相关，但是处理的是OAuth2授予​​类型授权代码"，这导致了不同的工作流程，就像您获得授予类型密码".

The question here: Spring Security OAuth 2.0 - client secret always required for authorization code grant is very closely related to this one but deals with the OAuth2 grant type "Authorization Code", which results in a different workflow like the one you get with grant type "Password".

推荐答案

根据规范(RFC 6749)，如果您的应用程序的客户端类型为 public ，不需要客户机密.相反，如果客户端类型为 机密 ，则需要客户端密码.

According to the specification (RFC 6749), if the client type of your application is public, a client secret is not required. On the contrary, if the client type is confidential, a client secret is required.

如果Spring提供了用于设置客户端类型的API，请尝试将客户端类型设置为 public .

If Spring offers an API to set the client type, try to set the client type to public.

这篇关于是否可以在没有客户端密码的情况下从Spring OAuth2服务器获取access_token?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！