[mitreid-connect] Support for Resource Owner Password Credentials

Luiz Omori luiz.omori at duke.edu
Wed Jun 17 15:19:58 EDT 2015 

The minor change below in DefaultOIDCTokenService.java::createIdToken to check if AuthenticationTimeStamper.AUTH_TIMESTAMP is defined handles the problem from the pure code point of view. Not sure yet if that property is mandatory or not. Will check where it could be defined.

                        if (request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP)!=null) {
                            Long authTimestamp =
                                    Long.parseLong((String) request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP));

                            if (authTimestamp != null) {
                                    idClaims.setClaim("auth_time", authTimestamp / 1000L);
                            }
                        }

Regards,
Luiz

From: Luiz Omori <luiz.omori at dm.duke.edu<mailto:luiz.omori at dm.duke.edu>>
Date: Wednesday, June 17, 2015 at 2:15 PM
To: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Cc: "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Support for Resource Owner Password Credentials

Thanks. I was looking exactly at that but explicitly set the authentication-manager to "authenticationManager" which apparently causes the invocation of Mitre's DefaultOAuth2ProviderTokenService down the line. That's the same one used for the MitreId server itself, right?

<oauth:password authentication-manager-ref="authenticationManager" />

In any case, both seem to have the same behaviour on my system, which is an exception. See partial stack trace below. Will take a look what is causing that but let me know if you know the cause already.

...
</pre><p><b>root cause</b></p><pre>java.lang.NumberFormatException: null
java.lang.Long.parseLong(Long.java:552)
java.lang.Long.parseLong(Long.java:631)
org.mitre.openid.connect.service.impl.DefaultOIDCTokenService.createIdToken(DefaultOIDCTokenService.java:112)
org.mitre.openid.connect.token.ConnectTokenEnhancer.enhance(ConnectTokenEnhancer.java:128)
org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.createAccessToken(DefaultOAuth2ProviderTokenService.java:178)
org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.createAccessToken(DefaultOAuth2ProviderTokenService.java:64)
org.springframework.security.oauth2.provider.token.AbstractTokenGranter.getAccessToken(AbstractTokenGranter.java:70)
...

Well, yes, this may be used by legacy system in our case. By the way, what is the official view for this OAuth2 flow under OpenId Connect? I've seen arguments about Authorization and Implicit flows being recommended by OpenId Connect, but not explicitly saying that Client Credentials and Resource Owner are not allowed.

Regards,
Luiz


From: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Date: Wednesday, June 17, 2015 at 1:34 PM
To: Luiz Omori <luiz.omori at dm.duke.edu<mailto:luiz.omori at dm.duke.edu>>
Cc: "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Support for Resource Owner Password Credentials

Override or edit authz-context.xml and add the following line:

<oauth:password/>

next to all the other grants. And be very careful using this flow, you should only ever use it with highly trusted and legacy clients that can't open a browser.

 - Justin

On Jun 16, 2015, at 1:29 PM, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>> wrote:

Hi,

I've seen a ticket requesting support for the Resource Owner (grant_type=password) flow and it's said that it's already supported but a special server configuration is necessary, possibly accomplished using Maven Overlays. Could you clarify exactly which server reconfiguration is required? Currently I'm building my own test server so don't really care about Maven Overlays at this point, can hack something directly in the build if necessary.

As you suspect, my client app is getting the error below, even tough the application support for grant type password is checked:

{"error":"unsupported_grant_type","error_description":"Unsupported grant type: password"}

Regards,
Luiz

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/567

_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150617/c2222b91/attachment.htm

More information about the mitreid-connect mailing list