-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Q: Support for client credential and password grants #1
Comments
Hi @nikos thanks for the question. FusionAuth does not currently support the client credentials grant, this will likely be coming this summer with a suite of IoT features. We could look into adding the Password grant to this library, or if you'd like to submit a PR that would be great as well. I'm not a Spring expert at all... so without digging back into the code your guess is as good as mine. If I have some cycles to take a look and see if I can stub it out I'll report back. If you're looking to use the password or credentials grant, does this mean you'll be using it for something other than a normal web login workflow? |
Hi, I recently heard that spring started including an OpenID Connect feature and I haven't had the time to look into it. When I get the chance I will update our example code to use the latest spring features. |
I upvoted this issue because i encountered the exact same problem. The filter given in this library is only useful for the Authorization Code grant, by analyzing the token in response of the redirectUri after a succesful login. I made a custom TokenFilter that i register in the security chain, which check the validity of the token (with the public certificate), and then extract the informations needed in the JWT to create an authenticated user, with authorities extracted from the 'roles' key in the claims. If i have time, i'll submit a PR of my work to help people, but for the moment the class is not generic at all and only fits to my specific needs... |
Hi Typler, are you refering to the changes in Spring Security 5.1.x ? |
@damienherve my current approach is to make use of Spring's "standard" class when it comes to the password grants flow: OpenIDResourceDetails
OpenIDPasswordResourceDetails
OpenIDConnectFilter
|
I started working on a new example, based on how its going I think this repo will be deprecated in favor of just using spring security 5. https://github.com/FusionAuth/fusionauth-spring-security-example/tree/SpringSecurity5 |
After further experimentation with Spring Security 5.1 it turns out that with a valid JWT at hand, securing your resources in your Spring Boot application is as straight forward as:
|
Does anyone have any news for us non-java devs on how this may be going? Is there a simple method for allowing our customers apps to authenticate with our APIs using |
Any update to support client_credentials grant type? thank you |
FusionAuth does not currently support the client credentials grant. See FusionAuth feature request and ensure to upvote it. If you have a business requirement for this, hit the FusionAuth Contact form and we can provide you a quote with a timeline. Thanks! |
It seems that currently this library concentrates on supporting OAuth2 authorization code grants.
Are there any plans to support also client credential and password grants?
For the time being, would you recommend to extend the OpenIDConnectFilter to support also other type of OAuth2ProtectedResourceDetails implementations than currently limiting it to OpenIDAuthorizationCodeResourceDetails. Any hints very appreciated, thanks in advance!
The text was updated successfully, but these errors were encountered: