Spring Security along with OAuth2.0
Posted By : Preeti Singh | 03-Dec-2020
Security is mostly about authentication, i.e. the verification of the identity, and authorization, the grant of access rights to resources.
To access the resources from the client by using a Web Security application, we can use OAuth2, which is an authorization framework. To build an Oauth2 application, we should pay special attention to the Grant Type (Authorization Code), Client ID, and Client secret.
Four roles apply to OAuth2:
Resource Owner: This is the owner of the resource i.e self-explanatory.
Resource Server: This serves resources that are under the OAuth2 token protection.
Client: The application accessing the resource server.
Authorization Server: After successfully authenticating the resource owner and obtaining authorization then this server is responsible for issuing access tokens to the client.
Access Token: The access tokens usually valid for about an hour only, sent with each request.
Refresh Token: To get a 00new access token, we use this, It is not sent with each request. Also, it usually lives longer than the access token.
The simplified flow is described below:
First, the client sends an authorization request to the server (acting as resource owner) using the password authorization grant
The access token is returned to the client (along with the refresh token)
On each request for protected resource access, the access token is then sent from client to server (acting as resource server).
The server responds with required protected resources
Oauth2 – Authorization Server
The spring security OAuth2 module can help you to create an authorization server using the annotation @EnableAuthorizationServer and extend the class AuthorizationServerConfigurerAdapter.
Spring Security OAuth has two endpoints for checking tokens (/OAuth/check_token and /OAuth/token_key). These tokens are protected by default behind denyAll(). tokenKeyAccess() and checkTokenAccess() methods open these endpoints for use.
ClientDetailsServiceConfigurer is used to define an in-memory or JDBC implementation of the client details service. In-memory implementation has the following important attributes:
clientId – (required) the client id.
secret – the client secret required for the trusted client, if any.
scope – The scope to which the client is confined. If the scope is empty or not-defined, the client is not limited by scope. The default scope is empty.
authorizedGrantTypes – The default value is empty. Grant types that are authorized for the client use.
authorities – the authorities that are granted to the client (regular Spring Security authorities).
redirect URLs – It must be an absolute URL. It redirects the user-agent to the client’s redirection endpoint.
Oauth2 – Resource Server
To create a resource server component, use @EnableResourceServer annotation, and extend the ResourceServerConfigurerAdapter class.
We, at Oodles Technologies, provide full-scale SaaS app development services to build scalable, responsive, and quality-driven web and mobile applications. Contact us for technical assistance or drop us a line at firstname.lastname@example.org for more detail.