What Oauth2 grant type to use in a distributed application without any third party client?
After reading for the last two days about Oauth2 protocol I still need some help to figure out what's the best grant to use for our system where the Authorization Service is deployed by us.
The app uses Spring Cloud, Spring Boot and Spring Security. It has a service discovery that uses Eureka and all users' requests go through an API gateway to reach the different microservices in an internal network. All these microservices, included the gateway, use the Zuul proxy. The Authorization Service will be another microservice storing the users in its own database. There is a frontend that at the moment is deployed in the gateway and is developed in Angular 4. There isn't any external apps that make requests to our system and there will be a bunch of users with a small set of possible roles that will make use of it and that will have to log in using a username and password.
In this situation, should we go for the Authentication Code grant or the Password grant would be ok? Or maybe not Oauth2 at all? All the examples I've seen and read about that use the Authentication Code grant require the user to allow the client to get access to the resource after log in. In our case, the client will be the gateway so the user shouldn't have to grant it anything. The Password grant seems to remove this situation as the user's credentials serve to tell the Authorization Service to provide a token. Am I missing something?
Apart from that, examples of Authorization Services include Facebook or Google. When using these, once the user grants the client application access to the resource after log in, subsequent requests don't show this screen and they only need to log in with their credentials. Where is this access granted information stored? How does Facebook know that, once the user has granted access to a resource to an application, next time he logs in he doesn't need to do it again?
In my understanding one of the basic purposes of the password grant is to provide a seamless migration path to OAuth2 for applications which store and collect user names and passwords. And there are plenty of those.
Also as written in this nice article:
Since this obviously requires the application to collect the user's password, it must only be used by apps created by the service itself. For example, the native Twitter app could use this grant type to log in on mobile or desktop apps.
In your case using OAuth2 and the password grant will still make some sense to me. That is mostly because there is lots of ready to use OAuth2 infrastructure (I mean the Spring OAuth2 here) in your tech stack. This infrastructure fits seamlessly in a microservice architecture and this will be the easiest and fastest way to wire all things together. But ideally web apps should use the Authentication Code grant and you should redirect the users to a special place where they authenticate (e.g. the Zuul gateway may redirect them to a page delivered by the AS). This is a bit more elaborate though and you may go for the password grant especially if you do not plan to connect other apps.
As for your second question - FB, Google, LinkedIn - they remember the authorized apps. For example in Facebook - navigate to Settings - Apps and see which apps are authorized to access your data:
In LinkedIn - navigate to Account - Parnters and Third parties - Permitted Services. E.g. this setup gives access to user data to HackerRank:
If as a user you delete these apps you will be asked to authorize them once again.
- Start and end date of a current month
- How to mock just one static method in a class using Mockito?
- ant file build failed due to below errors
- How to make smooth circle texture?
- How can I do a post-order traversal of a tree, when the only function I have is getChildren()?
- What is the variance of java .class files across different compilers, versions, dependencies?
- IntelliJ web service and Java client IllegalArgumentException TestWebService is not an interface
- The Java Compiler API does not work I keep getting unable to resolve class javax.tools.JavaCompilerTool and other similar ones
- Compiling multiple packages using the command line in Java
- Java Calendar - Date is unpredictable after setting day_of_week
- "The left hand side of an assignment must be a variable" due to extra parentheses
- Odd compiler error on if-clause without braces
- Problem in upcasting in Java?
- How to set a SpannableString to an EditText in an Android Material TextInputLayout?
- Android @Override issues
- How to ‘partly compile’ Java in Eclipse?
- Dates with no time or timezone component in Java/MySQL
- Compilation error while compiling class within another
- How to debug .class files in ECLIPSE?
- Java generics: What is the compiler's issue here? ("no unique maximal instance")
- How can I convert a List<int[]> to a 2D array?
- Spring Cloud Gateway doesn't work with DiscoveryClientRouteDefinitionLocator
- Dynamic spring data jpa repository query with arbitrary AND clauses
- How to compile Java program with .jar library
- SunCertPathBuilderException when upgrading to Spring Boot 3.2
- Write to single cell in OPENcsv Java
- Try catch and user input
- Access jdk.unsupported from JUnit doesn't need module require
- Create and install de-lomboked source jar in maven
- Why Does My Java Code to find multiple occurrences in of a Sting in another String not work?