Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Spring Security OAuth2 — Client Authentication Issue

DZone's Guide to

Spring Security OAuth2 — Client Authentication Issue

A bug recently surfaced concerning Spring Security, OAuth 2, and the ability for a user to obtain an access token in an inappropriate manner. Read on to find out details and for the fix.

· Java Zone
Free Resource

Microservices! They are everywhere, or at least, the term is. When should you use a microservice architecture? What factors should be considered when making that decision? Do the benefits outweigh the costs? Why is everyone so excited about them, anyway?  Brought to you in partnership with IBM.

Issue #808 was recently reported that allowed a user to authenticate as a client and obtain an access token via the client_credentials or password grant flow.

This unique scenario occurs when a client and user have the same identifier (clientId and username). The user’s credentials are used for client authentication during a client_credentials or password grant flow and is successful in obtaining an access token with the authorities of the client.

The Fix

This bug has been fixed in 1ed986a and released in 2.0.11.RELEASE.

If you’re using Java-based configuration, please update to 2.0.11.RELEASE.

However, if you’re using XML-based configuration, please take the following actions:

  • Update to 2.0.11.RELEASE
  • Look at this JUnit test and it’s associated XML configuration to ensure the AuthenticationManager for client authentication and the AuthenticationManager for user authentication is setup the same in your configuration.
  • As a precautionary step, make sure your XML configuration is NOT setup the same as in this JUnit test and associated XML configuration as it demonstrates the original issue.

Thank you for reporting this issue Michael Pridemore and Ben Kiefer.

Discover how the Watson team is further developing SDKs in Java, Node.js, Python, iOS, and Android to access these services and make programming easy. Brought to you in partnership with IBM.

Topics:
junit ,xml ,client ,authentication ,oauth2 ,spring ,spring security

Published at DZone with permission of Joe Grandja, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}