-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support password grant #343
Conversation
@Leegecho, as stated in this comment, we will not be providing support for the password grant as it is deprecated in OAuth 2.1. For reference, see OAuth 2.1 and It's Time for OAuth 2.1. If you are interested, I would encourage you to work up a sample project that supports the Going forward, please reach out first before any work is done on a new feature to make sure it will get accepted as we don't want you (or anyone) to spend unnecessary time on it. It's always best to open an issue for a new feature enhancement to discuss it first before any work is started. Thanks for your understanding. |
Hi, Sorry If I am not allowed to post comment here. But for custom type like the password. You can easily implement it. Actually it would be easy if there is an option to add AuthenticationConverter in the existing list of Authentication Converter of class OAuth2TokenEndpointFilter. Here is the code. Basically it is a constructor of OAuth2TokenEndpointfilter
Right now we cannot add any AuthenticationConverter in the existing list. Like if there is a custom converter for example ResourceOwnerPasswordAuthenticationConverter. We can not add it in the ArrayList. When request will come for password grant type then in method doFilterInternal(). At line
There will be an error. Becasue there is no converter that can handle passwrod grant type. Anyways what I did. I made a copy of the existing OAuth2TokenEndpointFilter. Named it CustomOAuth2TokenEndpointFilter. It is the same class as OAuth2TokenEndpointFilter but in the constructor I added the ResourceOwnerPasswordAuthenticationConverter. Here is the constructor
` Here is the ResourceOwnerPasswordAuthenticationToken class. I just saw how other classes did it like the existing OAuth2ClientCredentialsAuthenticationToken
Similarly you can implement the CustomOAuth2ResourceOwnerPasswordAuthenticationProvider
Finally here is the configuration. In the configuration I am changing the filter position. Ofcourse which is not good. You can change the token end point in the Provider setting so CustomoAuth2TokenEndpointFilter will call.
Similarly we can add any custom type if there is an option to add converter in the existing List of converters of OAuth2TokenEndpointfilter. Like after calling As ClientSecretPostAuthenticationConverter already there so no need to implement any converter. But I think if this option (Option to add AuthenticationConverter like ClientSecretPostAuthenticationConverter) also available for class OAuth2ClientAuthenticationFilter. Here is the construcor
Then anyone can add any custom type for authentication. password grant type or any other grant type. Hope it will help. |
Thanks @Basit-Mahmood !
This is now possible via gh-319 and the associated commits. See example configuration. |
@jgrandja Thanks for your response. But I didn't mean to set the custom token end point. I was saying about adding converters in the existing converters. So using the existing token end point (oauth2/token). But adding the functionality. For example consider this configuration
Note I cannot use
It will add in the list of existing authentication providers. Now consider OAuth2TokenEndpointFilter class.
Now the line Similarly if we have something like
Now the line I think it will simplify the configuration of adding custom grant type. SO instead of setting the whole I am not saying that no need of I don't know if it's sound silly. Or whether it makes sense or not. But I think it is easy if I just want to add converter and want to use the existing endpoint. Similar functionality can be added for class Thanks |
@Basit-Mahmood, the OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer<>();
http
.apply(authorizationServerConfigurer
.withObjectPostProcessor(new ObjectPostProcessor<OAuth2TokenEndpointFilter>() {
@Override
public <O extends OAuth2TokenEndpointFilter> O postProcess(O oauth2TokenEndpointFilter) {
oauth2TokenEndpointFilter.setAuthenticationConverter(new DelegatingAuthenticationConverter(
Arrays.asList(
new OAuth2AuthorizationCodeAuthenticationConverter(),
new OAuth2RefreshTokenAuthenticationConverter(),
new OAuth2ClientCredentialsAuthenticationConverter(),
new ResourceOwnerPasswordAuthenticationConverter())));
return oauth2TokenEndpointFilter;
}
})
); Note: I have not tested this approach yet, so feedback welcome. If this isn't what you're looking for, and other options aren't covered by gh-139, can you open a specific enhancement request for any specific item that is impossible to customize in the framework (e.g. not just not as convenient as it could be)? We're most interested at this stage in things that are not possible to customize, before things that are not convenient to customize. |
@sjohnr Hi, Thanks. Your approach is working fine. I think it's ok now. This is what I wanted. I always thought about ObjectPostProcessor. But it's good to see ObjectPostProcessor finally in action. Thanks :) |
@Basit-Mahmood, you're quite welcome. Thanks for the feedback! |
@Basit-Mahmood, just an FYI that I actually missed where you can already set this converter via the configurer as @jgrandja mentioned, so slightly easier than using a post processor:
Sorry about the confusion, I missed it because I was looking for a different method name in the configurer. |
@sjohnr Hi, Yup it is working too. Now I am using it. I think it is more close to the configuration setting. But both are working fine. This one and post processor. Thank you so much :) |
Hi guys @Basit-Mahmood @sjohnr ! I believe it will be as much appreciated to me as to posterity :) Thanks in advance! |
Hey @Mersenne255. Since it isn't our plan to support this grant, I'll let other community members answer that question. Preferably, if @Basit-Mahmood or anyone else has a solution, please link to a github repo in your own space, and move the discussion over to that repo and collaborate on it. It would be a nice way to help out and grow the community. |
@sjohnr I was thinking to just attaching the files here. But ok I will create a repository on my account and post a sample project there for anyone who is interested in Password Grant type with the current version of Spring authorization server. But it would be good if some of the classes in authorization server make public. Right now they are package protected.
Thanks & Regards |
@sjohnr @Mersenne255 I have added the link .You can go to my profile and check the projects in repository. Otherwise try this link https://github.com/Basit-Mahmood/spring-authorization-server-password-grant-type-support. If it won't open just copy paste the url in browser it will open. |
Thank you @Basit-Mahmood many times over! |
support password grant