Skip to content

Authorization Code Grant flow should support AccessToken only #4513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jgrandja opened this issue Aug 30, 2017 · 1 comment
Closed

Authorization Code Grant flow should support AccessToken only #4513

jgrandja opened this issue Aug 30, 2017 · 1 comment
Assignees
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone

Comments

@jgrandja
Copy link
Contributor

jgrandja commented Aug 30, 2017

The AuthorizationCodeAuthenticationProcessingFilter currently supports the oauth2Login feature. It handles the Authorization Response callback and processes it with it's collaborators in the following step sequence:

  1. Exchanges the AuthorizationCode Grant for an AccessToken
  2. Then calls the OAuth2UserService to load the Principal information and ultimately authenticate the session

Step 2 is not specified as part of the Authorization Code Grant flow in the OAuth 2.0 spec. However, we need this step in order to realize the oauth2Login feature.

But we also need to support the Authorization Code Grant flow as per spec for cases where the Authorized client needs to fetch a new AccessToken to access other protected resources (after the end-user has authenticated).

In order to support this, AuthorizationCodeAuthenticationProcessingFilter and AuthorizationCodeAuthenticationProvider will need to be re-factored.

@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Aug 30, 2017
@jgrandja jgrandja added this to the 5.0.0.M4 milestone Aug 30, 2017
@jgrandja jgrandja self-assigned this Aug 30, 2017
@jgrandja jgrandja changed the title Authorization Code Grant Flow should support AccessToken only Authorization Code Grant flow should support AccessToken only Aug 30, 2017
@jgrandja jgrandja mentioned this issue Aug 30, 2017
28 tasks
@jgrandja jgrandja removed this from the 5.0.0.M4 milestone Sep 13, 2017
jgrandja added a commit to jgrandja/spring-security that referenced this issue Oct 5, 2017
The AuthorizationCodeAuthenticationProvider implements part of the
Authorization Code Grant flow as defined in
OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0.
The implementation needs to be de-coupled to allow for better re-use and readability.
This commit introduces the AuthorizationGrantAuthenticator and extracts logic from
AuthorizationCodeAuthenticationProvider and provides different implementations
for OAuth 2.0 and OpenID Connect 1.0.

This re-factor is part of the work required for Issue spring-projectsgh-4513
jgrandja added a commit to jgrandja/spring-security that referenced this issue Oct 5, 2017
Moved logic from AuthorizationCodeAuthenticationProvider
to OAuth2UserAuthenticationProvider (new) related to
loading user attributes via OAuth2UserService.

This re-factor is part of the work required for Issue spring-projectsgh-4513
@jgrandja jgrandja added this to the 5.0.0.M5 milestone Oct 5, 2017
@jgrandja
Copy link
Contributor Author

jgrandja commented Oct 5, 2017

Resolved via f8a9077 and 5c14e48

@jgrandja jgrandja closed this as completed Oct 5, 2017
thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
The AuthorizationCodeAuthenticationProvider implements part of the
Authorization Code Grant flow as defined in
OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0.
The implementation needs to be de-coupled to allow for better re-use and readability.
This commit introduces the AuthorizationGrantAuthenticator and extracts logic from
AuthorizationCodeAuthenticationProvider and provides different implementations
for OAuth 2.0 and OpenID Connect 1.0.

This re-factor is part of the work required for Issue spring-projectsgh-4513
thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
Moved logic from AuthorizationCodeAuthenticationProvider
to OAuth2UserAuthenticationProvider (new) related to
loading user attributes via OAuth2UserService.

This re-factor is part of the work required for Issue spring-projectsgh-4513
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Development

No branches or pull requests

1 participant