Hello Laur been searching for a spring boot client example that implements AuthorizationCode flow, would appreciate if you could share such example the way you explained here.
What does the proxy normally do? Is the pattern imagined as a ring that wraps around an object and intercepts all method calls and forwards them if necessary? 35:40
Hi Laur, I am working on a requirement which is more or less similar to the password grant type. We would have 3-4 clients which would have their own custom UI for login. The clients would forward the credentials to the central authorization server for authentication and receive tokens. The tokens should serve as an SSO mechanism between these clients. Can I use OAuth2 components for this seeing as the password grant type is deprecated, and I am not following the Authorization code flow? Or will I have to write my own custom JWT token implementation for this?
Hi, Not sure that what you do there is advised. Probably if you want to continue with it like this you'd need to make customizations. I don't think any framework today will support anything similar to password grant type.
Hello Laurentiu, I am sorry If I understood it incorrectly. The OAuth2 client doesn't require user details credentials as we have only configured client details(ClientRegistrationRepository) and it gives an access token. How? Plus, my second doubt is, How would I integrate OAuth2 client with angular or UI app as it directly gives access token?
Hi. We use the client credentials grant type when we don't have a user. This grant type implies that the client only needs their credentials to get an access token. The client credentials grant type is not meant for the case you have an UI. For that case, you need to use a grant type that requires user authentication, such as the authorization code grant type.
@@laurspilca Can you please create one video for authorizationCode flow? Or give me some reference from your book that would help me in implementation.
Hey Laur, how is the client registration repository supposed to work, does it have to pull out the client information lilke the scope, grant type etc, from the database and pass it along to the auth server?
Hi. It depends on the client. I mean, you can store those details anyhow. If it's a web app, it might have them somewhere in the local storage. If it's an Android app, it might have a local DB. If it's a service, it can take them from a DB or from a Vault. Possibilities are limitless here.
Hello Laurentiu, thank you for this lesson. Could you please share with us example for client with authorization code? Especcialy i want to understand shoul i make OAuth2AuthorizeRequest? And i saw example with @RegisteredOAuth2AuthorizedClient("test-client-oidc") annotation, but very interesing is how it works (how to get OAuth2AuthorizedClient object in method - not trought the anno?
Hi Can you explain a little how this work in case of a microservice app, where we have more services and an ApiGateway? it's not clear for me do we get the roken in Api Gateway and then just send it to services? Thank you
Hi Mihai. There are more alternatives actually. The most commons is where you use the gateway as a resource server and then only propagate the request behind it to your microservices.
Hello Sir. Please what is the difference or maybe the parallel or nuance between RegisteredClient and RegistrationClient, RegisteredClientRepository and RegistrationClientRepository ?
You mean between RegisteredClient and ClientRegistration I guess? One is for the authorization server and the other is for the client. The represent the same thing but for different apps.
Hi, by any chance, are you going to make a video on how to customize the approval/consent screen for Oauth? Can't seem to find enough resources on that. Thank you
If we need to communicate between 2 resource servers for data transfers , how do we achieve this. My question is can a resource server be a webclient also. I tried but it gave error that webclient cannot be created. I am using Spring Auth Server
Hi Rajeev. I'm not sure I understand the question. If two services need to talk to one another in an OAuth 2 environment, one possibility is using the client credentials grant type. But I'm not sure this is the answer you're looking for.
@@laurspilca I have 2 resource servers Order and Product. I need to get the product details from the order server. So my question is how to get the product details from the Order resource server. All are protected under OAuth2.
@@laurspilca Yes That is exactly the point, but for some reason when resource server and client are in one I am getting non authorised error. I Would it be possible to expalin it in a video. I dont see much resources related to this issue. Thanks .... I have conigured Resource server as a client also using auth client in pom and properties file. I am using @HttpExchange annotation inside the interace. I thought the token will be propgated automatically..Can you please help by creating a video
Hello Sir, I have configured my client using axios in React JS. When I send out requests to the authorization server from axios, the browser (firefox/edge) sends out an OPTION request first to check the CORS headers - Pre-flight request. The issue with this is when I send a POST request to "/oauth2/token" the browser first sends a pre-flight request to "/oauth2/token", hence, resetting my authorization code. How can I DENY OPTION requests (pre-flight requests) to "/oauth2/token" sent by the browser or prevent OPTION requests (pre-flight) from resetting the authorization code.
