cancel
Showing results for 
Search instead for 
Did you mean: 

Does "OAuth auto approve" work?

Marko_salonen
Contributor
0 Kudos
1,164

Hi all,

I'm looking around oauth and seems to work fine. But i try to configure "OAuth auto approve" scopes list so that client does not need to approve the request. Or this is my understanding that this property should do. But it does not work at all. I try to configure different ways but nothing helps, client needs to approve the request. Has anyone managed to get this to work?

/Marko

Former Member
0 Kudos

Hello Can you please tell how did you find solution for this? Thanks in advance.

Accepted Solutions (0)

Answers (2)

Answers (2)

0 Kudos

I can verify that this was the case. I modified my oauth2 spring configuration and it worked. Here are the change I had to make

  1. Add user approval handler bean and request factory in oauth2-web-spring.xml

      <!-- A user approval handler that remembers approval decisions by consulting existing tokens -->
             <bean id="oAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
                 <constructor-arg ref="oauthClientDetails" />
             </bean>
    
    
  2. Modify the authorization server config and replace "user-approval-page" with "user-approval-handler-ref" like so

      <oauth:authorization-server client-details-service-ref="oauthClientDetails"
                                             token-services-ref="oauthTokenServices" token-endpoint-url="/oauth/token"
                                             authorization-endpoint-url="/oauth/authorize"
                                             user-approval-handler-ref="userApprovalHandler">
                     <oauth:authorization-code authorization-code-services-ref="oauthAuthorizationCode" />
                     <oauth:implicit />
                     <oauth:refresh-token />
                     <oauth:client-credentials />
                     <oauth:password />
                 </oauth:authorization-server>
    
    
  3. Add scope that you want to "auto approve" in your client config. An example of the client I am using:

    INSERT_UPDATE OpenIDClientDetails;clientId[unique=true];resourceIds;autoApprove;scope;authorizedGrantTypes;authorities;clientSecret;registeredRedirectUri;externalScopeClaimName;issuer ;client;hybris;basic,email,profile,openid;basic,email,profile,openid;authorization_code,implicit,client_credentials,password;ROLE_TRUSTED_CLIENT;secret;http://localhost:3000/openidcallback,https://www.getpostman.com/oauth2/callback;scope;ec

Hope this helps. Cheers!

Former Member
0 Kudos

It seems the oauth:authorization-server is configured to use the DefaultUserApprovalHandler which doesn't check the ClientDetails from the database. A handler which checks ClientDetails such as the TokenStoreUserApprovalHandler, can be wired in if you patch the file /hybris/bin/platform/ext/oauth2/web/webroot/WEB-INF/oauth2-web-spring.xml (and provide the necessary beans for the new handler)