ch4mpy
commented
5 months ago if I'm not leaving out exploitable security holes
By using Password flow, you are: it is deprecated and won't even be there in OAuth 2.1. You should use only authorization-code for users "login".
Also, spring-addons does nothing special about which OAuth2 flow is used. This is defined in your Spring Boot registration properties.
If using spring-addons, the OAuth2 client filter-chain is defined for you and there is nothing special to do to use password flow beyond defining that in the client registration.
Is your feature request related to a problem? Please describe. I very much like to use spring addons as a BFF for SPA's as described on https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/bff. In fact it has become a default component in each solution.
Now I need to use resource owner password credential flow or the password grant flow instead of the default authorization code flow. I don't think this is supported yet.
I'm also completely lost in spring security wilderness and how to use the same mechanism using password grants inside a BFF.
Miss Google isn't very helpful and Mr GPT completely misses the point :-(.
Describe the solution you'd like It would be very nice to see an implementation that supports password grant flows using the spring cloud gateway as BFF.
I already tried using an extra
SecurityWebFilterChainand aReactiveOAuth2AuthorizedClientProviderconfiguring the password grant as described in https://docs.spring.io/spring-security/reference/reactive/oauth2/client/authorization-grants.html#_using_the_access_token_2. And although I can get an access token I'm not sure what's the best way to store this in the web session and if I'm not leaving out exploitable security holes.