ResourceOwnerOAuth2ClientFilter
This filter uses the Resource Owner Password Credentials grant type. According to information in the The OAuth 2.0 Authorization Framework, minimize use of this grant type and utilize other grant types whenever possible. Use this filter in a service-to-service context, where services need to access resources protected by OAuth 2.0. |
Authenticates OAuth 2.0 clients by using the resource owner’s OAuth 2.0 credentials to obtain an access token from an Authorization Server, and injecting the access token into the inbound request as a Bearer Authorization header.
Client authentication is provided by the endpointHandler
property, which uses
a client authentication filter.
The ResourceOwnerOAuth2ClientFilter refreshes the access token as required.
For more information, refer to RFC 6749 - Resource Owner Password Grant.
Usage
{
"name": string,
"type": "ResourceOwnerOAuth2ClientFilter",
"config": {
"username": configuration expression<string>,
"passwordSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"tokenEndpoint": configuration expression<url>,
"scopes": [ configuration expression<string>, ... ],
"endpointHandler": Handler reference
}
}
Properties
"username"
: configuration expression<string>, required-
The resource owner username to supply during authentication.
"passwordSecretId"
: configuration expression<secret-id>, required-
The secret ID to obtain the resource owner password.
This secret ID must point to a GenericSecret.
"secretsProvider"
: SecretsProvider reference, required-
The SecretsProvider to resolve queried secrets, such as passwords and cryptographic keys. For allowed formats, refer to SecretsProvider.
"tokenEndpoint"
: configuration expression<url>, required-
The URL to the Authorization Server’s OAuth 2.0 token endpoint.
"scopes"
: array of configuration expression<strings>, optional-
Array of scope strings to request from the Authorization Server.
Default: Empty, request no scopes.
"endpointHandler"
: Handler reference, optional-
The Handler to exchange tokens on the authorization endpoint.
Configure this property as a Chain, using one of the following client authentication filters:
{ "name": "myHandler", "type": "Chain", "config": { "handler": "ForgeRockClientHandler", "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "myConfidentialClient", "clientSecretId": "my.client.secret.id", "secretsProvider" : "mySystemAndEnvSecretStore", } } ] } }
Default: ForgeRockClientHandler
Examples
For an example, refer to Using OAuth 2.0 resource owner password credentials.