Implementing Your Own Spring Boot Oauth2 Authorization Server
In this article, we will be talking about implementing your own authorization server in a Spring Boot application, and we will also test a few types of grant types.
Join the DZone community and get the full member experience.Join For Free
Before starting this post, please make sure that you have a conceptual understanding of how OAuth works and its terminologies. If you don't, you may want to check out this comprehensive explanation.
In the modern world, we have seen major IT organizations have their own OAuth implementation and have their own OAuth servers. If we look around, we will find that most of the applications are now powered by OAuth and guarantee your account security to a great extent. In Spring Boot applications, spring team has given support for spring security, which of course is a great way of securing your applications. But to leverage the features of single sign on (SSO) and social login, you may want to implement your own OAuth server in your Spring Boot application. The Spring team has also implemented OAuth specifications and given support to implement your standalone authorization server.
Spring Security OAuth is a separate project, and when developers started using this a lot, the Spring team decided to rewrite the whole Spring security and OAuth together, so currently, OAuth2 is in maintenance mode, and the Spring team has released resource server and client server in a single Spring security project with Spring security 5 release. The OAuth2 authorization server is in currently experimental mode and you can check this out here.
In this article, we will implement the Oauth2 authorization server, which is currently in maintenance mode.
To use your own authorization server, please go ahead and create a new spring starter project and make sure your pom is similar to the one that I have.
Enable Authorization Support
Open your main application class and add @EnableAuthorizationServer to enable the support for Spring authorization server.
By default, adding @EnableAuthorizationServer enables the client credentials grant type as per OAuth specifications for your spring boot application. As discussed in this post.
Adding ClientId and Client Secret
Now, run your application and you can make a postman request like this.
Please make sure you've added your clientId and client secret in the basic auth header of the authorization tab in postman and you get a successful response like this.
Now, you can use this access token to access the protected resource. Thank you so much for giving your time to read out this article. I will be posting more articles on implementing different grant types in OAuth. This project is also available on GitHub, please click on this link.
Please note that, spring doesn't recommend to use this auth server anymore. I posted this just because I wanted to give you a picture of working with oauth in spring. Spring team as rewrote the whole security module and introduced spring security 5 with resource and client server support. They are working on authorization server but it's in experimental and once it's officially available, we will surely be posting about that.
Opinions expressed by DZone contributors are their own.