Spring Security OAuth
  1. Spring Security OAuth
  2. SECOAUTH-331

XSD updates to clarify oauth:resource for implicit mode

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 1.0.0.RC2
    • Fix Version/s: 1.0.0
    • Component/s: OAuth 2
    • Labels:
      None

      Description

      To summarize, using the oauth:resource tag in implicit flow in a similar fashion to auth code flow, is confusing/does not work as expected, and requires a workaround to get the client to redirect to /oauth/authorize for the access token.

      Auth Code Flow:

      <oauth:resource id="rs" type="authorization_code" client-id="client1" client-secret="${password}" access-token-uri="/oauth/token" user-authorization-uri="/oauth/authorize" scope="read" />
      

      Implicit Flow:

      <oauth:resource id="rs" type="implicit" client-id="client2" access-token-uri="/oauth/token" user-authorization-uri="/oauth/authorize" scope="read" />
      

      The main confusion arises from the OAuth2 spec and its confusing use of the token and authorization endpoints depending on the flow under implementation. Sometimes you get the token from /oauth/authorize and sometimes you get it from /oauth/token.

      My suggestions:

      1) Decouple the confusing spec from its implementation by renaming the respective attributes to token-endpoint-uri and authorization-endpoint-uri. access-token-uri implies that I will always get an access token from this uri (not the case with implicit grant). token-endpoint-uri implies that this is the /token endpoint as defined by the spec (pushes the confusion to the spec writers).

      2) Remove the requirement to have access-token-uri defined when using the oauth:resource tag as this depends on the flow being used. If the attributes are omitted, set reasonable defaults to /oauth/authorize and /oauth/token.

      Given these suggestions, the two flows would be represented as follows:

      Auth Code Flow:

      <oauth:resource id="rs" type="authorization_code" client-id="client1" client-secret="${password}" token-endpoint-uri="/oauth/token" authorization-endpoint-uri="/oauth/authorize" scope="read" />
      

      Implicit Flow:

      <oauth:resource id="rs" type="implicit" client-id="client2" authorization-endpoint-uri="/oauth/authorize" scope="read" />
      

        Activity

        Hide
        Dave Syer added a comment -

        Fixed as part of SECOAUTH-149

        Show
        Dave Syer added a comment - Fixed as part of SECOAUTH-149

          People

          • Assignee:
            Dave Syer
            Reporter:
            John Rodriguez
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: