[SECOAUTH-348] Client app without a local authentication #122
Description
Priority: Major
Original Assignee: Dave Syer
Reporter: ohad redlich
Created At: Fri, 26 Oct 2012 22:40:31 +0100
Last Updated on Jira: Wed, 2 Oct 2013 22:25:19 +0100
Currently, oAuth clients (e.g.tonr2) work with a local user DB (username+password). However, sometimes the scenario is that the client has no users DB of its own and it relies on the oAuth-provider for that. So technically the client uses "AnonymousAuthenticationToken", and then when OAuth2RestTemplate tries to obtain the token (in AccessTokenProviderChain.obtainAccessToken()), it fails, and then check if the token is of type "anonymous". If so it throws InsufficientAuthenticationException (and not UserRedirectRequiredException), so the client never gets redirected to get a token.
Comments:
david_syer on Wed, 2 Oct 2013 22:25:19 +0100
See also http://forum.spring.io/forum/spring-projects/security/oauth/723334-problem-using-salesforce-com-s-oauth2-connected-apps-as-an-identity-provider?_=1380749052170. Quote from that thread:
"For now I would concentrate on OAuth2ClientAuthenticationProcessingFilter - it will force you to provide a ResourceServerTokenServices for your remote provider, which might be overkill for a simple authentication, but you should be able to do something that creates a good enough representation of the user and client to get you authenticated. In most cases this will require you to contact a remote endpoint( e.g. /userinfo or /me) to get some information about the user."