Spring Security OAuth2 simple configuration

Question

I have a simple project that requires the simple following configuration :

• I have a "password" grant_type, which means I can submit the username/password (that the user enters in my login form), and get an access_token on success.
• With that access_token, I can request an API and get the user's information.

I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples) and it seems HUGE.

I can think of it this way :

• Do a simple HTTP request, giving *client_id* , *client_secret* , *grant_type=password* , username and password (that the user provided).
• I receive an *ACCESS_TOKEN* (and some other stuff) in a JSON response.
• I use the *ACCESS_TOKEN* to query a URL (using simple GET request), that will give the user's information.
• I set the information in HttpSession and consider the user as logged in.

It can be done in 2 HTTP requests. I just don't want to do it this way, but using the "safer" way instead with Spring Security OAuth2.

Can you think of what "simple" config I need to make to have this done?

Answer 1

Don't let the sparklr sample confuse you (it does a lot more than you seem to need). Is this simple enough for you?

@ComponentScan
@EnableAutoConfiguration
public class Application {

public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
}

@Configuration
@Order(Ordered.LOWEST_PRECEDENCE - 100)
protected static class OAuth2Config extends OAuth2AuthorizationServerConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // @formatter:off
        auth.apply(new InMemoryClientDetailsServiceConfigurer())
            .withClient("my-trusted-client")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(60)
        .and()
            .withClient("my-client-with-secret")
                .authorizedGrantTypes("client_credentials")
                .authorities("ROLE_CLIENT")
                .scopes("read")
                .secret("secret");
    // @formatter:on
    }

}

}

That's the auth server. The client is also easy (e.g. the one in the Spring OAuth project). P.S. this is all Spring OAuth 2.0 stuff (not yet released), but we're working on it (and the 1.0 features with XML config really aren't that much heavier).

N.B. This kind of defeats the object of OAuth2 (webapp clients are not supposed to collect user credentials). You should consider using grant_type=authorization_code.