Lesson 11 - OAuth 2 and Spring Security

 

https://tonylim.tistory.com/280?category=938556 

OAuth 2.0 and OpenID Connect (OAtuh 2.0 in depth)

https://tonylim.tistory.com/149?category=938556 

[java brains] OAuth2 , Google

 

---

 

2things that authorization server needs to know 

1. user information -> managed by UserDeatilService in

2. client information managed by 

seperate representation for client and user. 

authenticationMangaer links between client and user authentication (not sure what this mean)

similar to UserDetailService -> clients.InMemory == InMemoryDetailsManager

 

5 grant Types in oauth -> way client get authorized token

1. authoriziation_code

2. password == deprecated -> what we are using now

3. client_credenitals

4. refresh_token

5. implicit == deprecated (no one use it)

 

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]]

notice with passing password(credential) -> 3 party knows credenital which is dangerous

but it is simple

 

this request is for client1 (password grant type)

client send user's id and password to /oauth/token -> get access token

 

---

 

user calls cllient to use some feature -> client redirects user to authorization server ->

user authenticate to authentication server with username and password -> client receive authroization token from server by given redirect url(go back to client)

this is implict grant type which is deprecated

 

client send request = code means we will use authorization_code (difference from implicit)

client redirects user to loginForm which our authenticaiton Server gave (just like google form)

user authorize client2 use some resources

authentication server gives authorization code to client with given redirect url

we send code(authorization code) to get acutal access token from authentication server

if we request one more time with same code it gives us error , we need to authenticate again or use refresh token