Spring Security OAuth
  1. Spring Security OAuth
  2. SECOAUTH-360

Provide OAuth2TokenEntryPoint for responding OAuth2-compliant errors on HTTP Basic authentication errors

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 1.0.0
    • Fix Version/s: 1.0.1
    • Component/s: OAuth 2
    • Labels:
      None

      Description

      While OAuth2AuthenticationEntryPoint should work for Resource Server, a different EntryPoint is need for Token endpoint to return OAuth2-specific error messages instead of leaving rendering to the underlying application server.

        Activity

        Hide
        Dave Syer added a comment -

        I'm not so sure it needs to be a different endpoint implementation - it's only the prefix in the WWW-Authenticate header that's wrong, isn't it. Note also that the standard BasicAuthenticationEntryPoint works fine for most practical purposes - i.e. a well-behaved client will respond to the 401 challenge in a predictable and sensible way.

        Show
        Dave Syer added a comment - I'm not so sure it needs to be a different endpoint implementation - it's only the prefix in the WWW-Authenticate header that's wrong, isn't it. Note also that the standard BasicAuthenticationEntryPoint works fine for most practical purposes - i.e. a well-behaved client will respond to the 401 challenge in a predictable and sensible way.
        Hide
        Tuukka Mustonen added a comment - - edited

        Maybe not separate implementation, just that it sends correct WWW-Authenticate header and proper OAuth2 message. OAuth2 spec is strict about error responses, oauth module should follow that. From developer's perspective it's just clearer if there is different EntryPoint for Authorization Server and different one for Resource Server (even if they were in same application).

        Show
        Tuukka Mustonen added a comment - - edited Maybe not separate implementation, just that it sends correct WWW-Authenticate header and proper OAuth2 message. OAuth2 spec is strict about error responses, oauth module should follow that. From developer's perspective it's just clearer if there is different EntryPoint for Authorization Server and different one for Resource Server (even if they were in same application).
        Hide
        Dave Syer added a comment -

        The existing OAuth2AuthenticationEntryPoint already supports injecting the prefix for the WWW-Authenticate header, so there's really nothing to do here. Users are free to choose this implementation or the stock BasicAuthenticationEntryPoint, and I updated the sparklr2 sample to use the former, which I think is more sensible (and should get you the responses you need).

        Show
        Dave Syer added a comment - The existing OAuth2AuthenticationEntryPoint already supports injecting the prefix for the WWW-Authenticate header, so there's really nothing to do here. Users are free to choose this implementation or the stock BasicAuthenticationEntryPoint, and I updated the sparklr2 sample to use the former, which I think is more sensible (and should get you the responses you need).

          People

          • Assignee:
            Dave Syer
            Reporter:
            Tuukka Mustonen
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: