How it works...

As we are using the same configuration annotations for the OAuth2AuthorzationServer and OAuth2ResourceServer classes, all the OAuth 2.0 support is being added the same way as that provided by Spring Security OAuth2. The important difference in configurations here is denoted by the usage of an authenticationManager instance. The authenticationManager has to be present because the Authorization Server has to authenticate the Resource Owner's credential when trying to respond for a required access token by the third-party application.

In addition to the configuration differences, we also have an important difference in the authorization flow by itself. When using this grant type, the user (or the Resource Owner) has to send her credentials, which will be in the power of the client application. There must be a trust relation between the Resource Owner and the client application in most cases when dealing with the client and server that are comprised of the same solution (for example, if you as a Resource Owner are interacting with the official Facebook's client application, which in turn interacts with Facebook's server-side applications).

To see how this grant type works for this recipe, start the application and try sending the following request, which is sending the Resource Owner's credentials as the form parameter's username and password respectively (look for the client authentication which must always be performed by the Authorization Server when requesting an access token through the /oauth/token endpoint):

curl -X POST --user clientapp:123456 http://localhost:8080/oauth/token -H "accept: application/json" -H "content-type: application/x-www-form-urlencoded" -d "grant_type=password&username=adolfo&password=123&scope=read_profile"

After running the previous command, you should see the following JSON response (obviously with a different access token):

{
   "access_token": "28405009-b53d-4e52-bfc3-c8889a477675",
   "token_type": "bearer",
   "expires_in": 43199,
   "scope": "read_profile"
}

Note that as we are not defining any access token expiration time; Spring Security OAuth2 defines 43200 seconds by default. Depending on the grant type used, you should consider using a short time access token (for example, when using the Implicit grant type).

Now that you have a valid access token, try to retrieve the user's profile through the following command:

curl -X GET http://localhost:8080/api/profile -H "authorization: Bearer 28405009-b53d-4e52-bfc3-c8889a477675"

After running the previous command, you should see the user's name and email.