Why does / oauth / authorize need to be protected?

Question

Why does / oauth / authorize need to be protected?

According to http://projects.spring.io/spring-security-oauth/docs/oauth2.html :

NB The authorization endpoint / oauth / authorize (or its associated alternative) should be protected with Spring Security so that it is accessible only to authenticated users.

Why? It is not true that an endpoint that requires authorization permission to exchange an authorization code must be protected. This is similar to the login page for the login page, especially when authorization will be granted using the password credentials of the resource owner.

+5

spring-boot spring-security spring-security-oauth2

Adriano Jun 23 '15 at 1:18

source share

1 answer

Raniz · Answer 1 · 2015-06-23T01:28:27+0000

oAuth2 authorization works in two stages:

The user is authenticated using his credentials.
The user grants app X permission to use his data.

Step 2 occurs in / oauth / authorize, and step 1 occurs elsewhere in your application (most likely, through the login form, under the protection of Spring).

If you do not protect / oauth / authorize, you end up providing authorization without user authentication (or you won’t, because without an authenticated session, you probably don’t know who the user is).

Why does / oauth / authorize need to be protected?

More articles: