0

I'm using spring-security-oauth2 authorization server. I'm using the password grant for oauth authentication. Currently, this lets users send username and password as query parameters. This is not safe since the password is not protected by HTTP. To handle this, my frontend sends the important information as part of the request body through HTTPS.

We use springfox-swagger2 to generate API specifications. Since query parameters are permitted, the specification generates these fields as required, as you can see in this screenshot

The specification also takes in an optional body: enter image description here I'm wondering what workaround there might be to solve this issue because we are automatically generating typescript models based off the swagger specification and every time we make any changes on our specification, any manual frontend changes of the types will be replaced.

yasgur99
  • 756
  • 2
  • 11
  • 32
  • I also don't understand what is the issue here. But it looks like an over-engineered solution. Why API needs password grant and dedicated method for auth? It doesn't look very safe, because API will have access to user credentials. Why you just not using builtin swagger auth options https://swagger.io/docs/specification/authentication/oauth2/ where you can just specify IdP details and then API will just need to validate JWT token? – Jan Garaj Dec 25 '20 at 11:28

1 Answers1

0

The query string is encrypted with HTTPS but there are other reasons to not use query parameters for sensitive data, like server logs that could log also the query string, more details in https://stackoverflow.com/a/323286/1536382

For the rest I don't get what is the issue, what does it mean

Since query parameters are permitted

Where are permitted ? What does specify this aspect ?

Testo Testini
  • 2,200
  • 18
  • 29