Authorization Code Grant Flow With Spring Security OAuth 2.0
In this post, we will be talking about how we can implement Spring authorization server using spring security oauth2 .
Join the DZone community and get the full member experience.Join For Free
We have learned about OAuth - 2.0 specification in previous articles and how we can implement OAuth - 2.0 client credentials grant flow working with spring's authorization server. In this article, we're going to see how we can implement authorization code grant flow get working with spring security.
According to the OAuth-2.0 specification, authorization code grant flow is a two-step process mainly used by confidential clients(a web server or secured application that can promise the security of credentials). In the first step, we request the authorize endpoint to get authorization code from the authorization server and then use it to get an access token from the authorization server at the token endpoint.
Adding dependency, please make sure that you have all these dependencies in your pom.xml.
Spring-security-oauth2 has all core dependencies required for OAuth, and spring-security-jwt is for jwt support in oauth2. The auto configure dependency is required for auto-configuration, and if you don't want to include this one, you will have to add some jaxb dependencies to get it working.
Enabling Authorization Server Support
To enable the support for authorization serve,r, you would need to add an annotation on top of @SpringBootApplicatio, @EnableAuthorizationServe.
Overriding Authorization Server's Default Configuration.
To override the default configuration of spring's authorization server, we will need to extend our configuration class withAuthorizationServerConfigurerAdapter. To reduce the code and effort for demonstration purpose, we will be using inmemory client configuration. The configuration should look similar to what I have here.
Please make sure that you've marked your class @Configuration so that it can be picked by spring security oauth2.
As discussed, authorization code grant flow is for confidential clients, one can guarantee the security of credentials, so here, we have used the BCryptPassword encoder to encode our credentials. That's the reason I've defined a bean of BCrypt.
To configure client details, we will need to override a configure method that contains ClientDetailsServiceConfigurer, and using in-memory configuration, we can add the required details.
The token store bean that you see is, I've used to customise the jwt token. All you have to do is, extend your token converter class from JwtAccessTokenConverter and define a bean in the authorization server config to tell auth server to use your configuration for jwt.
Configuring Spring Security
Till now, all we did was for authorization server. Let's add some spring security configurations to add users that we will be authenticating. Extend your class from WebSecurityConfigurer Adapter like so.
It's a normal spring security configuration for form login, and we've used in-memory user storage. With that being finished, we're good to start testing the application.
Getting Authorization Code
To get authorization cod,e we need to request the server and redirect you to the auth server's login page if you're not authenticated. To get the code, we hit /oauth/authorize with a few required params.
- response_type = must set to code (Required)
- client_id = clientId that we set up in auth server (Required)
- state = Some random value to maintain state between server and client(Optional)
- redirect_uri = optional
The link will redirect you to a login page and after successful login, it will redirect you to the redirect link that we had set up in the auth server with some params like so
The core value that we see in the response parameter is the authorization code that we will use later to access the access token and refresh token from the auth server.
Exchange Authorization Code For Access Token.
To get access token and refresh token, we will need to make a post request with clientId and client-secret in basic auth header with a few params.
Once, you make this post request you will get the response something like this.
That's all, you can use this token to access protected resources. Since I've signed this token using rsa private and public keys, that's the reason it's different from a normal jwt token. I would like you to see how I implemented access token converter.
Remember, it's wrapped into a token store bean that we've defined in auth server configurations. With that being said, thank you so much for giving your time to read out this post, and I will be comeup with some spring security 5 Oauth2.0 articles. This project is available on github.
Opinions expressed by DZone contributors are their own.