I was trying to use Amazon's Cognito as a authentication provider using the Implicit Flow, but I've faced some problems with Spring.
I implemented the Authorization Code using Spring with almost the same identity provider configurations and it works perfectly.
The first problem I've faced when implementing the Implicit Flow is that I get a NullPointer Exception when I don't set a AccessTokenUri in my ImplicitResourceDetails for the RestTemplate. The exact same problem was stated in this issue, and @dsyer commented that
You have to set the "accessTokenUri" not the "userAuthorizationUri" for the implicit resource type (makes sense since that's where you get the token from I guess). That will fix the NPE.
but OAuth2 Implicit Flow doesn't have an access token uri, right?
As I couldn't find another solution for this, I followed his suggestions anyway.
After setting the value of my accessToken to what should be the authorizationUri I got another error: org.springframework.web.client.HttpClientErrorException: 405 Method Not Allowed.
This error makes sense since the requests for the Authorization Endpoint should only accept HTTP GET as stated in the Section 3.1 of RFC 9749.
After this error I've overridden the ImplicitAccessTokenProvider class to do a GET instead of POST, but it does't redirect the user to the Identity Provider's login page as it does when using the Authorization Flow.
I'm quite convinced that this is not the best approach for achieving what I want, since I had do many workarounds and still couldn't do it.
TLDR;
Is there a way of retrieving the token from the Authorization Uri using the Implicit Flow with Spring?
Why is the Access Token Uri required when using the Implicit Flow? And why does it do a POST request even when using the ImplicitResourceDetails?
nagano
commented
6 years ago
I was trying to use Amazon's Cognito as a authentication provider using the Implicit Flow, but I've faced some problems with Spring.
I implemented the Authorization Code using Spring with almost the same identity provider configurations and it works perfectly.
The first problem I've faced when implementing the Implicit Flow is that I get a
NullPointer Exceptionwhen I don't set a AccessTokenUri in my ImplicitResourceDetails for the RestTemplate. The exact same problem was stated in this issue, and @dsyer commented thatbut OAuth2 Implicit Flow doesn't have an access token uri, right? As I couldn't find another solution for this, I followed his suggestions anyway.
After setting the value of my
accessTokento what should be theauthorizationUriI got another error:org.springframework.web.client.HttpClientErrorException: 405 Method Not Allowed.That happens because the retrieveToken method from
OAuth2AccessTokenSupportclass calls a method that always return HTTP.POST as the request method. This is called from ImplicitAccessTokenProvider.obtainAccessToken.This error makes sense since the requests for the Authorization Endpoint should only accept HTTP GET as stated in the Section 3.1 of RFC 9749.
After this error I've overridden the ImplicitAccessTokenProvider class to do a GET instead of POST, but it does't redirect the user to the Identity Provider's login page as it does when using the Authorization Flow.
I'm quite convinced that this is not the best approach for achieving what I want, since I had do many workarounds and still couldn't do it.
TLDR;
Is there a way of retrieving the token from the Authorization Uri using the Implicit Flow with Spring?
Why is the Access Token Uri required when using the Implicit Flow? And why does it do a POST request even when using the ImplicitResourceDetails?
After spending a couple of hours I've realized that this could be an old problem. http://forum.spring.io/forum/spring-projects/security/oauth/120611-trouble-configuring-implicit-flow https://github.com/spring-projects/spring-security-oauth/issues/412#issuecomment-75523032