Introduction To Spring Security With OAuth2.0
Posted By : Navin Purohit | 02-Jan-2020
OAuth 2 is an authorization method that gives access to protected resources on top of the HTTP protocol. Oauth2 permits a third-party application to gain access to the restricted resources on behalf of the resource owner. It can be done by changing an approval interaction between the resource owner and the HTTP service.
The OAuth2 specification describes five grants for obtaining an access token:
- Implicit grant
- Authorization code grant
- Refresh token grant
- Resource owner credentials grant
- Client credentials grant
OAuth2 have following 3 Actors:-
1. Client Application:- The application requires access to user data on the resource server.
2. Resource Server:- Reserve user’s data and HTTP services which will return user data to authenticated clients.
3. Authorization Server:- Responsible for authenticating the user's identity and allowing an authorization token. This token is taken by a resource server and validates your identity.
4. Resource Owner: This is the user who is using the application.
Access token vs Refresh token
An access token is an authorization string provided to the client application. Tokens represent particular scopes and periods of access, granted by the resource owner, It has user-specific detail.
A refresh token is provided to the client by the authorization server along with the access token and it is used to get a new access token when the previous access token expired or not valid, or to get additional access tokens with same or less scope. The refresh token is optional at the tact of the authorization server.
How to create Authorization server
1. The authorization server is created by using the spring security oauth2 module. We have to use annotation @EnableAuthorizationServer and extend the class AuthorizationServerConfigurerAdapter.
2. Spring security oauth reveals two endpoints for checking tokens (/oauth/token_key and /oauth/check_token ) which are by default protected behind denyAll(). tokenKeyAccess() and checkTokenAccess() methods not closed these endpoints for usage.
3. ClientDetailsServiceConfigurer is used to explain an in-memory or JDBC implementation of the client details service. It has the following important features:-
-> clientId – the client id(Unique) which is required
-> secret – the client secret, if any, which is required for trusted clients
-> scope – The scope to which the client is restricted. If the scope is empty or undefined, the client is not limited by scope. The default scope is empty.
-> authorizedGrantTypes – authorized grant types for the client to use. The default value is empty.
-> authorities – These are the regular Spring Security authorities.
-> redirect URIs – redirects(user-agent) to the client’s redirection endpoint. It must be an absolute URL.