[mitreid-connect] Support for Resource Owner Password Credentials
Luiz Omori
luiz.omori at duke.edu
Wed Jun 17 14:15:44 EDT 2015
Thanks. I was looking exactly at that but explicitly set the authentication-manager to "authenticationManager" which apparently causes the invocation of Mitre's DefaultOAuth2ProviderTokenService down the line. That's the same one used for the MitreId server itself, right?
<oauth:password authentication-manager-ref="authenticationManager" />
In any case, both seem to have the same behaviour on my system, which is an exception. See partial stack trace below. Will take a look what is causing that but let me know if you know the cause already.
...
</pre><p><b>root cause</b></p><pre>java.lang.NumberFormatException: null
java.lang.Long.parseLong(Long.java:552)
java.lang.Long.parseLong(Long.java:631)
org.mitre.openid.connect.service.impl.DefaultOIDCTokenService.createIdToken(DefaultOIDCTokenService.java:112)
org.mitre.openid.connect.token.ConnectTokenEnhancer.enhance(ConnectTokenEnhancer.java:128)
org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.createAccessToken(DefaultOAuth2ProviderTokenService.java:178)
org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.createAccessToken(DefaultOAuth2ProviderTokenService.java:64)
org.springframework.security.oauth2.provider.token.AbstractTokenGranter.getAccessToken(AbstractTokenGranter.java:70)
...
Well, yes, this may be used by legacy system in our case. By the way, what is the official view for this OAuth2 flow under OpenId Connect? I've seen arguments about Authorization and Implicit flows being recommended by OpenId Connect, but not explicitly saying that Client Credentials and Resource Owner are not allowed.
Regards,
Luiz
From: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Date: Wednesday, June 17, 2015 at 1:34 PM
To: Luiz Omori <luiz.omori at dm.duke.edu<mailto:luiz.omori at dm.duke.edu>>
Cc: "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Support for Resource Owner Password Credentials
Override or edit authz-context.xml and add the following line:
<oauth:password/>
next to all the other grants. And be very careful using this flow, you should only ever use it with highly trusted and legacy clients that can't open a browser.
- Justin
On Jun 16, 2015, at 1:29 PM, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>> wrote:
Hi,
I've seen a ticket requesting support for the Resource Owner (grant_type=password) flow and it's said that it's already supported but a special server configuration is necessary, possibly accomplished using Maven Overlays. Could you clarify exactly which server reconfiguration is required? Currently I'm building my own test server so don't really care about Maven Overlays at this point, can hack something directly in the build if necessary.
As you suspect, my client app is getting the error below, even tough the application support for grant type password is checked:
{"error":"unsupported_grant_type","error_description":"Unsupported grant type: password"}
Regards,
Luiz
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/567
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150617/b936f6f8/attachment-0001.htm
More information about the mitreid-connect
mailing list