Spring OAuth2 disable HTTP Basic Auth for TokenEndpoint
I am starting with Spring OAuth2. So far so good, I got the app with customization. But I have a problem, my client doesn't support HTTP Basic Authorization.
Is there a way to disable HTTP Basic Auth for the / oauth / token endpoint? I would like to send client_id and client_secret in JSON body or request headers.
curl examples I would like to work:
curl -X POST -H "Content-Type: application/json" -d '{
"username": "user",
"password": "pass",
"grant_type": "password",
"client_id": "test-client-id",
"client_secret": "test-client-secret"
}' "http://localhost:9999/api/oauth/token"
OR
curl -X POST -H "Content-Type: application/json" -H "X-Client-ID: test-client-id" -H "X-Client-Secret: test-client-secret" -d '{
"username": "user",
"password": "pass",
"grant_type": "password"
}' "http://localhost:9999/api/oauth/token"
+2
source to share
1 answer
I finally figured it out. The way to disable HTTP Basich Auth is to enable form authentication for clients. Just add these lines to your config.
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
}
You should now be able to send a successful request to TokenEndpoint like this:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user_username&password=user_password&grant_type=password&client_id=your_trusted_client_id&client_secret=your_trusted_client_secret' "http://localhost:8080/oauth/token"
But there is still a problem with ContentType / json content. Does anyone have a solution for this?
+11
source to share