The latest articles on DEV Community by Bubu Tripathy (@bubut2025). https://dev.to/bubut2025 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2508819%2F6a4b5533-3348-48bf-96c5-116c7f90da19.jpg https://dev.to/bubut2025 en Bubu Tripathy Mon, 02 Dec 2024 02:20:11 +0000 https://dev.to/bubut2025/securing-spring-microservice-with-oauth-20-1k2b https://dev.to/bubut2025/securing-spring-microservice-with-oauth-20-1k2b <p>This tutorial is about setting up an OAuth 2.0 Authorization Server and securing microservices with token-based authentication and scope-based authorization using Spring Boot.</p> <h3> <strong>Step 1: Setting up the OAuth 2.0 Authorization Server</strong> </h3> <p>An OAuth 2.0 Authorization Server centralizes security, issuing access tokens for client applications to authenticate and authorize requests to microservices.</p> <h4> <strong>1.1 Adding Dependencies</strong> </h4> <p>To begin, include the <code>spring-security-oauth2</code> and <code>spring-boot-starter-security</code> dependencies in your <code>pom.xml</code>. These provide essential libraries for configuring OAuth 2.0 capabilities and securing your Spring Boot application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security.oauth<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h4> <strong>1.2 Configuring Application Properties</strong> </h4> <p>Next, configure the server to run on port <code>8081</code> by adding a few settings in the <code>application.properties</code> file. Enabling the OAuth 2.0 Authorization Server is done via <code>spring.security.oauth2.authorizationserver.enabled=true</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">server.port</span><span class="p">=</span><span class="s">8081</span> <span class="py">spring.security.oauth2.authorizationserver.enabled</span><span class="p">=</span><span class="s">true</span> </code></pre> </div> <p>This ensures the application starts on the specified port and sets up the authorization server.</p> <h4> <strong>1.3 Implementing the Authorization Server</strong> </h4> <p>Create a Java class annotated with <code>@EnableAuthorizationServer</code> to designate it as an authorization server. Extend <code>AuthorizationServerConfigurerAdapter</code> to configure clients and supported grant types. In this example, the client details are stored in memory using <code>inMemory()</code>. The client is identified by <code>"client-id"</code>, secured with <code>"client-secret"</code>, and supports the <code>"password"</code> and <code>"refresh_token"</code> grant types. It is further scoped to <code>"read"</code> and <code>"write"</code>, defining the level of access the client has to resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter</span><span class="o">;</span> <span class="nd">@EnableAuthorizationServer</span> <span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthServerConfig</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">ClientDetailsServiceConfigurer</span> <span class="n">clients</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">clients</span><span class="o">.</span><span class="na">inMemory</span><span class="o">()</span> <span class="o">.</span><span class="na">withClient</span><span class="o">(</span><span class="s">"client-id"</span><span class="o">)</span> <span class="o">.</span><span class="na">secret</span><span class="o">(</span><span class="s">"{noop}client-secret"</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizedGrantTypes</span><span class="o">(</span><span class="s">"password"</span><span class="o">,</span> <span class="s">"refresh_token"</span><span class="o">)</span> <span class="o">.</span><span class="na">scopes</span><span class="o">(</span><span class="s">"read"</span><span class="o">,</span> <span class="s">"write"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> <strong>Step 2: Securing a Microservice as a Resource Server</strong> </h3> <p>A <strong>Resource Server</strong> is a microservice that validates access tokens and enforces access control. </p> <h4> <strong>2.1 Adding Dependencies</strong> </h4> <p>Include the <code>spring-security-oauth2</code> dependency in the <code>pom.xml</code> of your microservice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security.oauth<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h4> <strong>2.2 Configuring the Resource Server</strong> </h4> <p>To secure your microservice, annotate a configuration class with <code>@EnableResourceServer</code>. Extend <code>ResourceServerConfigurerAdapter</code> and override the <code>configure(HttpSecurity http)</code> method. Here, we configure the microservice to permit all requests to <code>/public/**</code> but require authentication for other endpoints.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="nd">@EnableResourceServer</span> <span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ResourceServerConfig</span> <span class="kd">extends</span> <span class="nc">ResourceServerConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/public/**"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h4> <strong>2.3 Validating Access Tokens</strong> </h4> <p>The resource server must validate the access tokens issued by the authorization server. Specify the token validation endpoint in the <code>application.properties</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">security.oauth2.resource.token-info-uri</span><span class="p">=</span><span class="s">http://localhost:8081/oauth/check_token</span> </code></pre> </div> <p>This points the resource server to the authorization server’s <code>/check_token</code> endpoint for token verification.</p> <h3> <strong>Step 3: Enforcing Scope-Based Authorization</strong> </h3> <p>OAuth 2.0 allows fine-grained access control by using <strong>scopes</strong>. Scopes represent the level of access permitted to a resource.</p> <h4> <strong>Configuring Scope-Based Access</strong> </h4> <p>Spring Security annotations like <code>@PreAuthorize</code> can enforce scope-based access control at the method level. For example, the following <code>OrderController</code> class uses <code>@PreAuthorize</code> to allow access to <code>getOrders</code> only if the token contains the <code>"read"</code> scope. Similarly, the <code>createOrder</code> method requires the <code>"write"</code> scope.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">org.springframework.security.access.prepost.PreAuthorize</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.List</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/orders"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OrderController</span> <span class="o">{</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasAuthority('SCOPE_read')"</span><span class="o">)</span> <span class="nd">@GetMapping</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Order</span><span class="o">&gt;</span> <span class="nf">getOrders</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Logic to fetch orders</span> <span class="k">return</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="k">new</span> <span class="nc">Order</span><span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="s">"Sample Order"</span><span class="o">));</span> <span class="o">}</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasAuthority('SCOPE_write')"</span><span class="o">)</span> <span class="nd">@PostMapping</span> <span class="kd">public</span> <span class="nc">Order</span> <span class="nf">createOrder</span><span class="o">(</span><span class="nd">@RequestBody</span> <span class="nc">Order</span> <span class="n">order</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Logic to create order</span> <span class="k">return</span> <span class="n">order</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">class</span> <span class="nc">Order</span> <span class="o">{</span> <span class="kd">private</span> <span class="kt">int</span> <span class="n">id</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">name</span><span class="o">;</span> <span class="c1">// Constructor, getters, and setters</span> <span class="kd">public</span> <span class="nf">Order</span><span class="o">(</span><span class="kt">int</span> <span class="n">id</span><span class="o">,</span> <span class="nc">String</span> <span class="n">name</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">id</span> <span class="o">=</span> <span class="n">id</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">name</span> <span class="o">=</span> <span class="n">name</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Ensure that tokens include the required scopes in their payload, as shown below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"write"</span><span class="p">],</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1700000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"client-id"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> <strong>Step 4: Testing the Setup</strong> </h3> <h4> <strong>4.1 Obtaining an Access Token</strong> </h4> <p>A client can obtain an access token by sending a <code>POST</code> request to the authorization server’s <code>/oauth/token</code> endpoint. Use the following <code>curl</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"grant_type=password&amp;username=user&amp;password=pass"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"client-id:client-secret"</span> <span class="se">\</span> http://localhost:8081/oauth/token </code></pre> </div> <p>The response includes the <code>access_token</code> and other token details:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">3600</span><span class="p">,</span><span class="w"> </span><span class="nl">"refresh_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"xyz789"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> <strong>4.2 Accessing a Secured Endpoint</strong> </h4> <p>To access a secured microservice endpoint, include the access token in the <code>Authorization</code> header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer abc123"</span> http://localhost:8080/orders </code></pre> </div> <h3> <strong>Conclusion</strong> </h3> <p>This tutorial demonstrates how to set up an OAuth 2.0 Authorization Server, secure microservices as resource servers, and enforce scope-based access control. By leveraging token-based authentication, you can centralize security management, improve scalability, and achieve fine-grained access control in a microservices architecture.</p> springboot security oauth