Spring Security OAuth2 - Client Authentication Issue

Engineering | Joe Grandja | August 31, 2016 | ...

Issue #808 was recently reported that allowed a user to authenticate as a client and obtain an access token via the client_credentials or password grant flow.

This unique scenario occurs when a client and user have the same identifier (clientId and username). The user’s credentials are used for client authentication during a client_credentials or password grant flow and is successful in obtaining an access token with the authorities of the client.

The Fix

This bug has been fixed in 1ed986a and released in 2.0.11.RELEASE.

If you’re using Java-based configuration, please update to 2.0.11.RELEASE.

However, if you’re using XML-based configuration, please take the following actions:

  • Update to 2.0.11.RELEASE

  • Look at this JUnit test and it’s associated XML configuration to ensure the AuthenticationManager for client authentication and the AuthenticationManager for user authentication is setup the same in your configuration.

  • As a precautionary step, make sure your XML configuration is NOT setup the same as in this JUnit test and associated XML configuration as it demonstrates the original issue.

Credit

Thank you for reporting this issue Michael Pridemore and Ben Kiefer.

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all