Hi, after using the OAuth 2.0 implementation for a while now I wanted to give some feedback.
In general I really like the implementation and it works very well. The support for ResourceOwnerAuth and the RefreshToken are very nice. There are only two features I was missing: 1) In the AuthorizationCodeGrantService there are two private methods using sessions to store and retrieve the sessionAuthenticityToken. It would be nice to be able to change the storage. I had to create a deep copy of this class to use some other session store. 2) I found no way to get the Bearer token and the authorized client via the injected MessageContext. I copied the OAuthRequestFilter and put the AccessTokenValidation into the message which worked perfectly. May be this could be done by default. Regards, Thorsten Höger
