Spring Security along with OAuth2.0

Posted By : Preeti Singh | 03-Dec-2020

Security is mostly about authentication, i.e. the verification of the identity, and authorization, the grant of access rights to resources.

 
To access the resources from the client by using a Web Security application, we can use OAuth2, which is an authorization framework. To build an Oauth2 application, we should pay special attention to the Grant Type (Authorization Code), Client ID, and Client secret.

 

OAuth2 Roles: 

 

Four roles apply to OAuth2:

 

Resource Owner: This is the owner of the resource i.e self-explanatory.

Resource Server: This serves resources that are under the OAuth2 token protection.

Client: The application accessing the resource server.

Authorization Server:  After successfully authenticating the resource owner and obtaining authorization then this server is responsible for issuing access tokens to the client.

 

OAuth2 Tokens:

 

Access Token: The access tokens usually valid for about an hour only, sent with each request.
 

Refresh Token: To get a 00new access token, we use this, It is not sent with each request. Also, it usually lives longer than the access token.

 

The simplified flow is described below:

 

First, the client sends an authorization request to the server (acting as resource owner) using the password authorization grant
 

The access token is returned to the client (along with the refresh token)
 

On each request for protected resource access, the access token is then sent from client to server (acting as resource server).
 

The server responds with required protected resources
 

Oauth2 – Authorization Server

 

The spring security OAuth2 module can help you to create an authorization server using the annotation @EnableAuthorizationServer and extend the class AuthorizationServerConfigurerAdapter.

 

Spring Security OAuth has two endpoints for checking tokens (/OAuth/check_token and /OAuth/token_key). These tokens are protected by default behind denyAll(). tokenKeyAccess() and checkTokenAccess() methods open these endpoints for use.

 

ClientDetailsServiceConfigurer is used to define an in-memory or JDBC implementation of the client details service. In-memory implementation has the following important attributes:

 

clientId – (required) the client id.
 

secret – the client secret required for the trusted client, if any.
 

scope – The scope to which the client is confined. If the scope is empty or not-defined, the client is not limited by scope. The default scope is empty.
 

authorizedGrantTypes – The default value is empty. Grant types that are authorized for the client use. 
 

authorities –  the authorities that are granted to the client (regular Spring Security authorities).
 

redirect URLs – It must be an absolute URL. It redirects the user-agent to the client’s redirection endpoint.
 

Oauth2 – Resource Server

 

To create a resource server component, use @EnableResourceServer annotation, and extend the ResourceServerConfigurerAdapter class.

 

We, at Oodles Technologies, provide full-scale SaaS app development services to build scalable, responsive, and quality-driven web and mobile applications. Contact us for technical assistance or drop us a line at info@oodlestechnologies.com for more detail. 

About Author

Author Image
Preeti Singh

Preeti Singh is a backend developer and has experience in developing web applications using java, j2EE, Spring Framework. In mean time she loves listening to music.

Request for Proposal

Name is required

Comment is required

Sending message..