Uploaded image for project: 'Spring Security OAuth'
  1. Spring Security OAuth
  2. SECOAUTH-151

Client context should not need local webapp user auth token if client credentials grant type is in use

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Complete
    • None
    • 1.0.0.M6
    • OAuth 2
    • None

    Description

      Our web app needs to obtain an "application" access token for a provider service. This token is not linked to a particular user authentication, it is application-wide, and uses client credentials flow. The current AbstractOAuth2AccessTokenProvider does not support this use case well, because obtainNewAccessToken() always uses the current authentication from the SecurityContext, and stores the resulting tokens for that user.

      In our application, the SecurityContext is populated with the user making the request, which should not be the owner of the application token.

      The AccessTokenProvider could be refactored a little to support this scenario - obtaining a token without connection to a user authentication.

      Maybe there should even be a flag on the ProtectedResourceDetails that determines if access tokens for that resource should be looked up and stored in the TokenServices for the current user?

      Attachments

        Activity

          People

            david_syer Dave Syer
            marcusb Marcus Better
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: