0

I’m using Spring Authorization Server 1.4.3 to build an authentication center. I’ve extended the authorization server to support the password grant type, so clients can obtain access tokens via the /oauth2/token endpoint.

Here’s the current behavior:

The client calls /oauth2/token with grant_type=password, username, and password.

The password is sent in plain text over HTTPS.

I would like to avoid transmitting the password in plain text, even though HTTPS provides encryption at the transport layer. Ideally, I want to implement a mechanism like RSA encryption, where the client encrypts the password with a public key and the server decrypts it before authentication.

My questions:

What is the recommended way to implement non-plain-text password transmission in Spring Authorization Server 1.4.3?

Is there any built-in extension point or filter where I can intercept and decrypt the password before authentication?

Or should I customize the AuthenticationConverter / AuthenticationProvider for my password grant implementation?

Environment:

  • Spring Boot 3.4.5
  • Spring Authorization Server 1.4.3
  • Java 17
Improve this question
3
  • 3
    Why? Two levels of encryption just adds another key distribution problem. Commented Oct 28 at 1:33
  • But the password is passed by plain text , that is unsecurity and easy to expose the password Commented Oct 28 at 2:08
  • 3
    It is not passed in plain text, it is passed encrypted under the TLS security layer of HTTPS. Commented Oct 28 at 15:27
Load 4 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.