In this article, we are going to see how we can implement the latest spring authorization server which is currently in experimental mode. Spring team has already shifted all OAuth2 modules in Spring Security 5 but not the authorization server.  The spring team has started working on providing the support for the OAuth2 Authorization server and the project is currently available in experimental mode and can be found here. It's not available for production yet but we can explore the features that have been already released in experimental mode.

We will be implementing OAuth2 Authorization Grant and as you might be aware that it's a two-step process defined in RFC 6749. In which the client will redirect the user to authenticate themselves on the authorization server and then the authorization server returns an authorization code that the authorization server uses to get an access token from the authorization server. In our case, the client will be google chrome and postman. We will use chrome to log in on the authorization server and then with the code we will hit on token endpoint to obtain the access token. Once you have the access token we can continue accessing the protected resources that we've been authorized by the authorization server.

Creating Project

Head to Spring Starter and choose a Gradle project. Once you have it import the project in your favorite IDE and make sure your POM.xml looks similar to the one we have here.

     <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.security.experimental</groupId>
            <artifactId>spring-security-oauth2-authorization-server</artifactId>
            <version>0.0.3</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

Configuring Authorization Server

The spring team has made it very easy to configure the authorization server without defining a lot of things. We just need to import the configuration class provided by Spring team and define a few required beans and that's all. 

@Configuration
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
public class AuthServerConfig {
    
    @Bean
    RegisteredClientRepository getRegisteredClientRepository() {
        RegisteredClient client = RegisteredClient.withId("client-1")
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                .clientId("clientid")
                .clientSecret("secret")
                .redirectUri("http://localhost:9090/authorized/callback")
                .scope(OidcScopes.PROFILE)
                .scope(OidcScopes.OPENID)
                .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
                .tokenSettings(token -> token.enableRefreshTokens(true))
                .build();
        return new InMemoryRegisteredClientRepository(client);
    }
    
    @Bean
    KeyManager getKeyManager() {
        return new StaticKeyGeneratingKeyManager();
    }
}

The first Bean that we've defined is for populating the clients in the memory, we can customize this to use data from a database or external source etc. The second bean is for Key Manager which will be your public and private RSA keys to sign the JWT token and check the token. You can provide your own implementation for KeyManager. Once you will start the server you will see something like this.

Will secure Or [Or [Ant [pattern='/oauth2/authorize', GET], Ant [pattern='/oauth2/authorize', POST]], Ant [pattern='/oauth2/token', POST], Ant [pattern='/oauth2/revoke', POST], Ant [pattern='/oauth2/jwks', GET]] with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@6658ca71, org.springframework.security.web.context.SecurityContextPersistenceFilter@793c2d4e, org.springframework.security.web.header.HeaderWriterFilter...

These are the endpoints that have been exposed by your authorization server. Now you can go to authorize endpoint to authorize your user on the authorization server and with the return authorization_code, we can make a post request at /token endpoint to get access and refresh token. To discuss any requirements, connect with us.