Authenticate a first-party app using Spring Authorization Server

Question

I am building a first party mobile application that authenticates via a Spring Boot backend server (acting as the authentication and the resource server). I planned to use Spring Authorization Server to handle logging into the mobile application via username/password, as well as other OAuth providers (e.g. Login with Google).

I had a similar use case on a different project and used Spring Security OAuth with client_credentials and password grant types to authenticate via username/password.

In reviewing this feature matrix, it appears Spring Authorization Server will not support the password grant type.

Confirmed here with multiple confused emoji reactions, and I am also confused :)

The resource owner password grant type seems like a valid use case for first-party mobile applications. What is the recommended way to authenticate first-party mobile applications with Spring Authorization Server?

If the authorization_code grant should be used instead per the OAuth 2.1 spec, how do I submit the username/password from the native mobile application instead of using the form login provided by Spring Authorization Server?

    @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize ->
                        authorize.anyRequest().authenticated()
                )
                .formLogin(withDefaults());
        return http.build();
    }

Answer 1

I have been reading the comments and im going to try to address this.

Yes it is true, Spring Authorization Server will not support the password grant type since it has been deprecated in oauth2 v2.1.

The biggest reason for this is because that flow is vulnerable to access token leakage and access token replay attacks, as pointed out in the rfc draft OAuth 2.0 Security Best Current Practice

I had a similar use case on a different project and used Spring Security OAuth with client_credentials and password grant types to authenticate via username/password.

Then that application might be susceptible to these types of attack and you should definitely revisit the application and change the authentication method.

how do I submit the username/password from the native mobile application instead of using the form login provided by Spring Authorization Server?

Well as you have read in several places, the recommended way is to use Authorization Code Flow with Proof Key for Code Exchange (PKCE)

There are several tutorials out there explaining how to make this work on mobile for instance okta has a tutorial that shows how it works to set up this flow for mobile applications.

And to address your comment:

it's just not ideal from a mobile application user experience point of view

All i can say here is TOO BAD then. Security is not easy, if everyone in the world were just nice people we wouldn't have to worry about security at all. But sadly, the world is what it is. The internet evolves, people evolve, and the malicious actors evolve and find new ways to exploit things.

I would suggest you try to explain to the users of your application that you wanted to sacrifice security for their user experience, and I bet you they wouldn't be happy with that decision.

Experiences can change for people, MFA was something that was a pain in the beginning for many, but is now a very common used thing to secure applications and guess what, people have adapted to it.

Security is difficult, very difficult, you have to understand that and this is the world we are living in at the moment.