Allow custom Client authentication for the TokenEndpoint #602
Description
The OAuth 2.0 specification leaves the door open for custom Client authentication mechanisms. Unfortunately the framework does not make it easy at the time of writing.
Pull request #601 is a proposal to simplify the addition of custom authentication filters for the TokenEndpoint. The custom filters are added upstream of the BasicAuthenticationFilter, leaving room for some home-made (2 factor, whatever) authentication mechanism to take place before the traditional client_id+client_secret basic authentication.
Our use case was to allow password grants only for our own mobile application. OAuth 2.0 forbids public clients to have a client secret, so we came up with our own client authentication solution.
While implementing it with spring-security-oauth2 + annotation configuration, we ended up copying most of AuthorizationServerEndpointsConfiguration and AuthorizationServerSecurityConfiguration and their configurers because there was no extension point.
Also we encountered some cyclic dependencies issues resulting in StackOverflow errors, but I'll try to find the time to document another issue/sample for that matter.