Spring Security OAuth
  1. Spring Security OAuth
  2. SECOAUTH-205

Implicit grant should be able to ask for user approval

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 1.0.0.M6
    • Component/s: OAuth 2
    • Labels:
      None

      Description

      See discussion at the end of SECOAUTH-193.

        Activity

        Hide
        Vladimir Kryachko added a comment -

        Please have a look at https://github.com/SpringSource/spring-security-oauth/pull/19

        I've added ClientTrustStrategy interface responsible for deciding whether to skip confirmation page for a given response_type.
        This interface has one method canSkipApproval(AuthorizationRequestHolder requestHolder) which has access to both the authorizationRequest and the authenticated user, which makes it possible to customize the behavior in a lot of ways.
        One particular use case that I am personally very interested in is the ability to prompt the user for approval only once for a given client.

        I have preserved current behavior by implementing ImplicitClientTrustStrategy, which allows implicit grant type to bypass comfirmation, and forces confirmation for authorization_code grant type.

        What do you think?

        Show
        Vladimir Kryachko added a comment - Please have a look at https://github.com/SpringSource/spring-security-oauth/pull/19 I've added ClientTrustStrategy interface responsible for deciding whether to skip confirmation page for a given response_type. This interface has one method canSkipApproval(AuthorizationRequestHolder requestHolder) which has access to both the authorizationRequest and the authenticated user, which makes it possible to customize the behavior in a lot of ways. One particular use case that I am personally very interested in is the ability to prompt the user for approval only once for a given client. I have preserved current behavior by implementing ImplicitClientTrustStrategy , which allows implicit grant type to bypass comfirmation, and forces confirmation for authorization_code grant type. What do you think?
        Hide
        Dave Syer added a comment -

        There's already a UserApprovalHandler strategy which looks very similar. Can we use that instead?

        Show
        Dave Syer added a comment - There's already a UserApprovalHandler strategy which looks very similar. Can we use that instead?
        Hide
        Dave Syer added a comment -

        I'm working on a solution using the UserApprovalHandler. I think it looks like the right direction and will address both this issue and the re-scoped SECOAUTH-129.

        Show
        Dave Syer added a comment - I'm working on a solution using the UserApprovalHandler. I think it looks like the right direction and will address both this issue and the re-scoped SECOAUTH-129 .
        Hide
        Vladimir Kryachko added a comment -

        Yeah, sounds like the right direction, I did not pay attention to UserApprovalHandler.

        Show
        Vladimir Kryachko added a comment - Yeah, sounds like the right direction, I did not pay attention to UserApprovalHandler.
        Hide
        Dave Syer added a comment -

        I'm nearly finished here. It works but the tests break because the approval decisions are now cached by default. I'll have to work out a way to fix that before I push the changes.

        Show
        Dave Syer added a comment - I'm nearly finished here. It works but the tests break because the approval decisions are now cached by default. I'll have to work out a way to fix that before I push the changes.
        Hide
        Dave Syer added a comment -

        I'm finished. If you could try it out that would be great. There's a hack in the SparklrUserApprovalHandler that allows us to switch the approval caching from SECOAUTH-129 off for the tests. There's also an implicit JavaScript client demo in /sparklr2/browse.html based on the Facebook sample (hardcoded with the oauth authorize endpoint URL). If anyone knows how to make that look nicer please shout.

        Show
        Dave Syer added a comment - I'm finished. If you could try it out that would be great. There's a hack in the SparklrUserApprovalHandler that allows us to switch the approval caching from SECOAUTH-129 off for the tests. There's also an implicit JavaScript client demo in /sparklr2/browse.html based on the Facebook sample (hardcoded with the oauth authorize endpoint URL). If anyone knows how to make that look nicer please shout.

          People

          • Assignee:
            Dave Syer
            Reporter:
            Dave Syer
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: