Spring Security along with OAuth2.0
Posted By : Preeti Singh | 03-Dec-2020
Security is mostly about authentication, i.e. the verification of the identity, and authorization, the grant of access rights to resources.
To access the resources from the client by using a Web Security application, we can use OAuth2, which is an authorization framework. To build an Oauth2 application, we should pay special attention to the Grant Type (Authorization Code), Client ID, and Client secret.
OAuth2 Roles:
Four roles apply to OAuth2:
Resource Owner: This is the owner of the resource i.e self-explanatory.
Resource Server: This serves resources that are under the OAuth2 token protection.
Client: The application accessing the resource server.
Authorization Server: After successfully authenticating the resource owner and obtaining authorization then this server is responsible for issuing access tokens to the client.
OAuth2 Tokens:
Access Token: The access tokens usually valid for about an hour only, sent with each request.
Refresh Token: To get a 00new access token, we use this, It is not sent with each request. Also, it usually lives longer than the access token.
The simplified flow is described below:
First, the client sends an authorization request to the server (acting as resource owner) using the password authorization grant
The access token is returned to the client (along with the refresh token)
On each request for protected resource access, the access token is then sent from client to server (acting as resource server).
The server responds with required protected resources
Oauth2 – Authorization Server
The spring security OAuth2 module can help you to create an authorization server using the annotation @EnableAuthorizationServer and extend the class AuthorizationServerConfigurerAdapter.
Spring Security OAuth has two endpoints for checking tokens (/OAuth/check_token and /OAuth/token_key). These tokens are protected by default behind denyAll(). tokenKeyAccess() and checkTokenAccess() methods open these endpoints for use.
ClientDetailsServiceConfigurer is used to define an in-memory or JDBC implementation of the client details service. In-memory implementation has the following important attributes:
clientId – (required) the client id.
secret – the client secret required for the trusted client, if any.
scope – The scope to which the client is confined. If the scope is empty or not-defined, the client is not limited by scope. The default scope is empty.
authorizedGrantTypes – The default value is empty. Grant types that are authorized for the client use.
authorities – the authorities that are granted to the client (regular Spring Security authorities).
redirect URLs – It must be an absolute URL. It redirects the user-agent to the client’s redirection endpoint.
Oauth2 – Resource Server
To create a resource server component, use @EnableResourceServer annotation, and extend the ResourceServerConfigurerAdapter class.
We, at Oodles Technologies, provide full-scale SaaS app development services to build scalable, responsive, and quality-driven web and mobile applications. Contact us for technical assistance or drop us a line at [email protected] for more detail.
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Preeti Singh
Preeti Singh is a backend developer and has experience in developing web applications using java, j2EE, Spring Framework. In mean time she loves listening to music.