I have two questions related to OAuth2:
-
How do I make resources Can I preserve by a grant_type? I want to secure my REST API with client_credentials and then I want to secure user-specific resources by password grant type. Is this also possible?
-
According to the tutorial, the password grant type does not require the client's secret, although how do I deal with the spring cloud oauth2 always requires customer secret? Like "ABC", do you care about setting up a nonsense client solitaire and do not care about it?
-
If I have a Client app with @ EnableOAuth2, then I only get redirects to uriyah. I do not provide the grant type "authorization code" if I only provide password grant type Do I do not understand that I was sent to Token Yuri?
Thanks
I How can I preserve resources through grant_type? I want to secure my REST API with client_credentials
Use an OAuth2 access rule and specify that you want only the customer like # oauth2
Use the expression variable and # oauth2.isClient ()
().
Password grant type does not require client secret
incorrect You need to authenticate the client if it does not have a password then it is very secure Not, but you can do this (use the blank password) if you want.
If I receive a redirection to the competent API # authorization URI, though I do not provide the grant type "authorization code" if I only provide password grant type then does it not understand much Is it that I was redirected to Token Yuri?
No, the token endpoint is a back channel and it does not work (even if you think that you were allowed to give token from GET, user feedback What to do?) There is no protocol for external web applications to use password grants (this is basically for basic applications). In the web application, you should use the article code.
No comments:
Post a Comment