I’m using Spring Authorization Server 1.4.3 to build an authentication center. I’ve extended the authorization server to support the password grant type, so clients can obtain access tokens via the /oauth2/token endpoint.
Here’s the current behavior:
The client calls /oauth2/token with grant_type=password, username, and password.
The password is sent in plain text over HTTPS.
I would like to avoid transmitting the password in plain text, even though HTTPS provides encryption at the transport layer. Ideally, I want to implement a mechanism like RSA encryption, where the client encrypts the password with a public key and the server decrypts it before authentication.
My questions:
What is the recommended way to implement non-plain-text password transmission in Spring Authorization Server 1.4.3?
Is there any built-in extension point or filter where I can intercept and decrypt the password before authentication?
Or should I customize the AuthenticationConverter / AuthenticationProvider for my password grant implementation?
Environment:
- Spring Boot 3.4.5
- Spring Authorization Server 1.4.3
- Java 17
