M
Michael Jacobs
Guest
Just to clarify, in Spring's OAuth2 project the roles of the "authorization server" and "service provider" are configured separately so they can exist on separate servers and web applications. However support for both are combined in the same physical libraries, The oauth2LoginModel.xml is only configured to operate as a "service provider", with the capability for OE to add "authorization server" sometime later. Hence the comment to not enable the "authorization server" support. The oauth2LoginModel.xml configuration for the "service provider" is 99% pure Spring Security ( with the remainder being REST & OE Client-Principal integration). You'll see that the type of OAuth2 Access Token support is defaulted to "self-contained" (aka ID tokens in some documents) and has support for validating the Access Tokens using HMAC shared keys, or PKI digital certificates. The type of OAuth2 "identifier" Access Tokens has shown to be specific to the "authorization server" implementation and can be problematic. Does that help clarify? Mike J.
Continue reading...
Continue reading...