I know that that the autorization server does not support the simple password flow because it is not supported by Oauth2.1. But for a legacy app, I need this kind of flow temporarily until I managed to reengineer it.
So I've tried to register a custom authentication provider but obviously I'm doing it wrong because when trying to fetch the topken via
curl --location 'http://localhost:9000/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
--header 'Cookie: JSESSIONID=67376D18FE3C74F92196B0E08960150D' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=user' \
--data-urlencode 'password=password'
the authorization server answers with the login html page instead of a token. Has anybody every tried to authenticate a user by providing the username and password via the http request and returning the token immediately? It would be great to let me know.
SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http
.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.tokenEndpoint(customizer -> customizer
.accessTokenRequestConverter(new BasicAuthenticationConverter())
.authenticationProvider(new PasswordAuthenticationProvider()))
.oidc(withDefaults());
http.csrf(AbstractHttpConfigurer::disable);
http
.exceptionHandling(exceptions -> exceptions
.authenticationEntryPoint(
new LoginUrlAuthenticationEntryPoint("/login")))
.oauth2ResourceServer(resourceServer ->
resourceServer.jwt(Customizer.withDefaults()));
return http.build();
}