I'm trying to use spring boot to create an oauth2 authorization that only supports the client credentials flow. As I understand that flow, the client accesses the /oauth/token endpoint directly. Is there a way to disable the /oauth/authorize endpoint in spring boot and allow direct access to /oauth/token without having to be fully authorized first?
@Configuration
@EnableAuthorizationServer
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// TODO: Is there something I can do here to disable /oauth/authorize?
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// client details configuration
}
}
答案 0 :(得分:4)
我不能说禁用授权端点,但您可以直接使用客户端凭据流直接转到令牌端点。我可能会重述你已经知道的东西,但是对于一个"客户" (client_id / client_secret)与" user"的凭据不同。 (用户名密码)。 A"用户"转到授权端点,以便客户端可以从令牌端点获取令牌。 A"客户" (在客户端凭据流中)直接向令牌端点提供客户端凭据。您是否需要禁用授权端点?
因此,对于client_credentials流程,您不需要先进行授权(您不需要禁用它)。如果你的spring-boot授权服务器在localhost上,你可以在这里卷曲你的令牌:8080:
curl -H"授权:基本d2VhcHA6" -X POST http://localhost:8080/oauth/token?grant_type=client_credentials
其中d2VhcHA6是" client_id的base64编码:client_secret"