I have a Grails 3 application that uses the spring-security-rest plugin version 2.0.0.RC1, using GitHub for user authentication.
I am seeing warnings from GitHub:
Your application used an access token as part of a query parameter to access an endpoint through the GitHub API:
https://api.github.com/user
Please use the Authorization HTTP header instead as using the `access_token` query parameter is deprecated.
Is there a version where this is fixed that still works with Grails 3?
I believe the deprecation warnings become failures in November, 2020.
Update: Poking around pac4j I see in the OAuthConfiguration class there is a tokenAsHeader variable. If set, it adds the authorization token to the header when getting user information.
I'm not sure if this will work, but I added tokenAsHeader = true to application.groovy:
github {
client = org.pac4j.oauth.client.GitHubClient
key = '${APP_KEY}'
secret = '${APP_SECRET}'
scope = 'user'
tokenAsHeader = true
defaultRoles = ['ROLE_GITHUB']
}
I don't see a change in the debug output and I only receive deprecated warning emails periodically, so I'm not sure if this is a solution or not.
As you could figure out, the OAuth clients aren't part of Spring Security REST itself, but come from Pac4j. Spring Security REST 2.0.0.RC1 ships with Pac4j 2.2.1, which is 2.5 years old. So it is possible that valid settings for clients back then, are being deprecated nowadays.
Your chances are:
Upgrade locally to a newer Pac4j version. It should work smoothly upgrading all the way through 4.0.0. In build.gradle:
compile("org.grails.plugins:spring-security-rest:2.0.0.RC1") {
exclude group: 'org.pac4j'
}
compile "org.pac4j:pac4j-core:3.8.3"
compile "org.pac4j:pac4j-oauth:3.8.3"
Upgrade your application to Grails 4 and use Spring Security REST 3.0.1, which uses pac4j 3.8.3