DEV Community: ReLive27 The latest articles on DEV Community by ReLive27 (@relive27). https://dev.to/relive27 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F854274%2F920d1269-78cf-4d1c-bf2b-41b4d8890815.png DEV Community: ReLive27 https://dev.to/relive27 en Spring Cloud Gateway Combined with the Security Practice of OAuth2.0 Protocol ReLive27 Sun, 26 Mar 2023 14:41:41 +0000 https://dev.to/relive27/spring-cloud-gateway-combined-with-the-security-practice-of-oauth20-protocol-1m3b https://dev.to/relive27/spring-cloud-gateway-combined-with-the-security-practice-of-oauth20-protocol-1m3b <h2> Overview </h2> <p>Spring Cloud Gateway is an API Gateway built on top of the Spring ecosystem. It is built on top of <a href="https://spring.io/projects/spring-boot#learn" rel="noopener noreferrer">Spring Boot</a>, <a href="https://docs.spring.io/spring/docs/current/spring-framework-reference/web-reactive.html" rel="noopener noreferrer">Spring WebFlux</a>, and <a href="https://projectreactor.io/docs" rel="noopener noreferrer">Project Reactor</a>.</p> <p>In this section, you will use Spring Cloud Gateway to route requests to a Servlet API service.</p> <p><strong>What you will learn in this article:</strong></p> <ul> <li>OpenID Connect authentication - used for user authentication.</li> <li>Token relay - Spring Cloud Gateway API gateway acts as a client and forwards tokens to resource requests.</li> </ul> <p><strong>Prerequisites:</strong></p> <ul> <li>Java 8+</li> <li>MySQL</li> <li>Redis</li> </ul> <h2> OpenID Connect authentication </h2> <p>OpenID Connect defines a user authentication mechanism based on the OAuth2 authorization code flow. The following diagram shows the complete process of authentication between Spring Cloud Gateway and the authorization service. For clarity, some parameters have been omitted.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5dfj4olyhgva1ox3hzpz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5dfj4olyhgva1ox3hzpz.png" alt="Image description"></a></p> <h2> Build authorization service </h2> <p>In this section, we will use <a href="https://spring.io/projects/spring-authorization-server#overview" rel="noopener noreferrer">Spring Authorization Server</a> to build an authorization service that supports the OAuth2 and OpenID Connect protocols. At the same time, we will use the RBAC0 basic permission model to control access rights. This authorization service also supports Github third-party login as an OAuth2 client.</p> <h3> Relevant database table structure </h3> <p>We have created a basic RBAC0 permission model for this article and provided the table structures required for persistence storage of OAuth2 authorization services and OAuth2 clients. The <em>oauth2_client_role</em> table defines the external system role and the mapping relationship with the local platform role. The SQL statements related to the creation of related tables and initialization data can be obtained <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/gateway-oauth2-login/auth-server/src/main/resources/db/migration" rel="noopener noreferrer">here</a>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuolempnwyvhgf8aanmty.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuolempnwyvhgf8aanmty.png" alt="Image description"></a></p> <h3> Role description </h3> <p>By default, the authorization service in this section provides two roles, with the following role attributes and access permissions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>read</th> <th>write</th> </tr> </thead> <tbody> <tr> <td>ROLE_ADMIN</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>ROLE_OPERATION</td> <td>✅</td> <td>❎</td> </tr> </tbody> </table></div> <h3> Maven dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-authorization-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.3.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-jdbc<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-data-jpa<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>mysql<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>mysql-connector-java<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>8.0.21<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.alibaba<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>druid-spring-boot-starter<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.2.3<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>First, let's start with the <code>application.yml</code> configuration, where we specify the port number and MySQL connection configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">datasource</span><span class="pi">:</span> <span class="na">druid</span><span class="pi">:</span> <span class="na">db-type</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">driver-class-name</span><span class="pi">:</span> <span class="s">com.mysql.cj.jdbc.Driver</span> <span class="na">url</span><span class="pi">:</span> <span class="s">jdbc:mysql://localhost:3306/oauth2server?createDatabaseIfNotExist=true&amp;useUnicode=true&amp;characterEncoding=UTF-8&amp;useSSL=false&amp;serverTimezone=Asia/Shanghai&amp;allowPublicKeyRetrieval=true</span> <span class="na">username</span><span class="pi">:</span> <span class="s">&lt;&lt;username&gt;&gt;</span> <span class="c1"># Modify username</span> <span class="na">password</span><span class="pi">:</span> <span class="s">&lt;&lt;password&gt;&gt;</span> <span class="c1"># Modify password</span> </code></pre> </div> <p>Next, we will create <code>AuthorizationServerConfig</code> to configure the required beans for OAuth2 and OIDC. First, we will add OAuth2 client information and persist it to the database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RegisteredClientRepository</span> <span class="nf">registeredClientRepository</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">)</span> <span class="o">{</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="nc">RegisteredClient</span><span class="o">.</span><span class="na">withId</span><span class="o">(</span><span class="s">"relive-messaging-oidc"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSecret</span><span class="o">(</span><span class="s">"{noop}relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethods</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_POST</span><span class="o">);</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_BASIC</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">AUTHORIZATION_CODE</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">REFRESH_TOKEN</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8070/login/oauth2/code/messaging-gateway-oidc"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">OPENID</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">PROFILE</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">EMAIL</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="s">"read"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSettings</span><span class="o">(</span><span class="nc">ClientSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireAuthorizationConsent</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">requireProofKey</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">tokenSettings</span><span class="o">(</span><span class="nc">TokenSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">accessTokenFormat</span><span class="o">(</span><span class="nc">OAuth2TokenFormat</span><span class="o">.</span><span class="na">SELF_CONTAINED</span><span class="o">)</span> <span class="o">.</span><span class="na">idTokenSignatureAlgorithm</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">RS256</span><span class="o">)</span> <span class="o">.</span><span class="na">accessTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">refreshTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">reuseRefreshTokens</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">JdbcRegisteredClientRepository</span> <span class="n">registeredClientRepository</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JdbcRegisteredClientRepository</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">);</span> <span class="n">registeredClientRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">registeredClient</span><span class="o">);</span> <span class="k">return</span> <span class="n">registeredClientRepository</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>Second, we will create the persistence container class required during the authorization process:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizationService</span> <span class="nf">authorizationService</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">,</span> <span class="nc">RegisteredClientRepository</span> <span class="n">registeredClientRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOAuth2AuthorizationService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">,</span> <span class="n">registeredClientRepository</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizationConsentService</span> <span class="nf">authorizationConsentService</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">,</span> <span class="nc">RegisteredClientRepository</span> <span class="n">registeredClientRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOAuth2AuthorizationConsentService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">,</span> <span class="n">registeredClientRepository</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>The authorization server needs a signing key for its tokens, so let's generate a 2048-byte RSA key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JWKSource</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="nf">jwkSource</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RSAKey</span> <span class="n">rsaKey</span> <span class="o">=</span> <span class="nc">Jwks</span><span class="o">.</span><span class="na">generateRsa</span><span class="o">();</span> <span class="nc">JWKSet</span> <span class="n">jwkSet</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JWKSet</span><span class="o">(</span><span class="n">rsaKey</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="n">jwkSelector</span><span class="o">,</span> <span class="n">securityContext</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">jwkSelector</span><span class="o">.</span><span class="na">select</span><span class="o">(</span><span class="n">jwkSet</span><span class="o">);</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">Jwks</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">Jwks</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">RSAKey</span> <span class="nf">generateRsa</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="nc">KeyGeneratorUtils</span><span class="o">.</span><span class="na">generateRsaKey</span><span class="o">();</span> <span class="nc">RSAPublicKey</span> <span class="n">publicKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPublicKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPublic</span><span class="o">();</span> <span class="nc">RSAPrivateKey</span> <span class="n">privateKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPrivateKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPrivate</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">RSAKey</span><span class="o">.</span><span class="na">Builder</span><span class="o">(</span><span class="n">publicKey</span><span class="o">)</span> <span class="o">.</span><span class="na">privateKey</span><span class="o">(</span><span class="n">privateKey</span><span class="o">)</span> <span class="o">.</span><span class="na">keyID</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">KeyGeneratorUtils</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">KeyGeneratorUtils</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">KeyPair</span> <span class="nf">generateRsaKey</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">KeyPairGenerator</span> <span class="n">keyPairGenerator</span> <span class="o">=</span> <span class="nc">KeyPairGenerator</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"RSA"</span><span class="o">);</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">initialize</span><span class="o">(</span><span class="mi">2048</span><span class="o">);</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">generateKeyPair</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="n">ex</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">keyPair</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Next, we will create the <code>SecurityFilterChain</code> used for OAuth2 authorization. <code>SecurityFilterChain</code> is a filter chain provided by Spring Security.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="nc">Ordered</span><span class="o">.</span><span class="na">HIGHEST_PRECEDENCE</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">authorizationServerSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizationServerConfigurer</span><span class="o">&lt;</span><span class="nc">HttpSecurity</span><span class="o">&gt;</span> <span class="n">authorizationServerConfigurer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2AuthorizationServerConfigurer</span><span class="o">&lt;&gt;();</span> <span class="c1">//配置OIDC</span> <span class="n">authorizationServerConfigurer</span><span class="o">.</span><span class="na">oidc</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="nc">RequestMatcher</span> <span class="n">endpointsMatcher</span> <span class="o">=</span> <span class="n">authorizationServerConfigurer</span><span class="o">.</span><span class="na">getEndpointsMatcher</span><span class="o">();</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">requestMatcher</span><span class="o">(</span><span class="n">endpointsMatcher</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">((</span><span class="n">authorizeRequests</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="o">((</span><span class="nc">ExpressionUrlAuthorizationConfigurer</span><span class="o">.</span><span class="na">AuthorizedUrl</span><span class="o">)</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">()).</span><span class="na">authenticated</span><span class="o">();</span> <span class="o">}).</span><span class="na">csrf</span><span class="o">((</span><span class="n">csrf</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">csrf</span><span class="o">.</span><span class="na">ignoringRequestMatchers</span><span class="o">(</span><span class="k">new</span> <span class="nc">RequestMatcher</span><span class="o">[]{</span><span class="n">endpointsMatcher</span><span class="o">});</span> <span class="o">}).</span><span class="na">apply</span><span class="o">(</span><span class="n">authorizationServerConfigurer</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="nl">OAuth2ResourceServerConfigurer:</span><span class="o">:</span><span class="n">jwt</span><span class="o">)</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">(</span><span class="n">exceptions</span> <span class="o">-&gt;</span> <span class="n">exceptions</span><span class="o">.</span> <span class="nf">authenticationEntryPoint</span><span class="o">(</span><span class="k">new</span> <span class="nc">LoginUrlAuthenticationEntryPoint</span><span class="o">(</span><span class="s">"/login"</span><span class="o">)))</span> <span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">authorizationServerConfigurer</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Above, we configured the default configuration for OAuth2 and OpenID Connect, and redirected authentication requests to the login page. At the same time, we also enable the OAuth2 resource service configuration provided by Spring Security. This configuration is used to protect the OpenID Connect <em>/userinfo</em> user information endpoint.</p> <p>When enabling the Spring Security OAuth2 resource service configuration, we specify JWT verification, so we need to specify the <code>jwk-set-uri</code> in <code>application.yml</code> or add <code>JwtDecoder</code> declaratively. Here, we use declarative configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JwtDecoder</span> <span class="nf">jwtDecoder</span><span class="o">(</span><span class="nc">JWKSource</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="n">jwkSource</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">OAuth2AuthorizationServerConfiguration</span><span class="o">.</span><span class="na">jwtDecoder</span><span class="o">(</span><span class="n">jwkSource</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Next, we will customize the access token. In this example, we use the RBAC0 permission model, so we add the <code>authorities</code> for the permission code of the current user's role to the <code>access_token</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AccessTokenCustomizerConfig</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="nc">RoleRepository</span> <span class="n">roleRepository</span><span class="o">;</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2TokenCustomizer</span><span class="o">&lt;</span><span class="nc">JwtEncodingContext</span><span class="o">&gt;</span> <span class="nf">tokenCustomizer</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="nc">OAuth2TokenType</span><span class="o">.</span><span class="na">ACCESS_TOKEN</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">context</span><span class="o">.</span><span class="na">getTokenType</span><span class="o">()))</span> <span class="o">{</span> <span class="n">context</span><span class="o">.</span><span class="na">getClaims</span><span class="o">().</span><span class="na">claims</span><span class="o">(</span><span class="n">claim</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">claim</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"authorities"</span><span class="o">,</span> <span class="n">roleRepository</span><span class="o">.</span><span class="na">findByRoleCode</span><span class="o">(</span><span class="n">context</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">().</span><span class="na">getAuthorities</span><span class="o">().</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">GrantedAuthority:</span><span class="o">:</span><span class="n">getAuthority</span><span class="o">).</span><span class="na">findFirst</span><span class="o">().</span><span class="na">orElse</span><span class="o">(</span><span class="s">"ROLE_OPERATION"</span><span class="o">))</span> <span class="o">.</span><span class="na">getPermissions</span><span class="o">().</span><span class="na">stream</span><span class="o">().</span><span class="na">map</span><span class="o">(</span><span class="nl">Permission:</span><span class="o">:</span><span class="n">getPermissionCode</span><span class="o">).</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">()));</span> <span class="o">});</span> <span class="o">}</span> <span class="o">};</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <blockquote> <p>RoleRepository is the persistence layer object of the role table. In this example, we use the JPA framework and the relevant code will not be shown in this article. If you are not familiar with JPA, you can use Mybatis instead.</p> </blockquote> <p>Below we will configure the authorization service Form authentication method.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">())</span> <span class="o">...</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Next, we will create a <code>JdbcUserDetailsService</code> that implements <code>UserDetailsService</code>, which is used to look up the password and permission information of the logged-in user during the authentication process. If you are interested in why <code>UserDetailsService</code> needs to be implemented, you can check the source code of <code>UsernamePasswordAuthenticationFilter</code> -&gt; <code>ProviderManager</code> -&gt; <code>DaoAuthenticationProvider</code>. In <code>DaoAuthenticationProvider</code>, the user information is obtained by calling UserDetailsService#loadUserByUsername(String username).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">JdbcUserDetailsService</span> <span class="kd">implements</span> <span class="nc">UserDetailsService</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">UserRepository</span> <span class="n">userRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span> <span class="n">com</span><span class="o">.</span><span class="na">relive</span><span class="o">.</span><span class="na">entity</span><span class="o">.</span><span class="na">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findUserByUsername</span><span class="o">(</span><span class="n">username</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="nc">ObjectUtils</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">user</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UsernameNotFoundException</span><span class="o">(</span><span class="s">"user is not found"</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="nc">CollectionUtils</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getRoleList</span><span class="o">()))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UsernameNotFoundException</span><span class="o">(</span><span class="s">"role is not found"</span><span class="o">);</span> <span class="o">}</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">SimpleGrantedAuthority</span><span class="o">&gt;</span> <span class="n">authorities</span> <span class="o">=</span> <span class="n">user</span><span class="o">.</span><span class="na">getRoleList</span><span class="o">().</span><span class="na">stream</span><span class="o">().</span><span class="na">map</span><span class="o">(</span><span class="nl">Role:</span><span class="o">:</span><span class="n">getRoleCode</span><span class="o">)</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">SimpleGrantedAuthority:</span><span class="o">:</span><span class="k">new</span><span class="o">).</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">());</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">User</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> <span class="n">user</span><span class="o">.</span><span class="na">getPassword</span><span class="o">(),</span> <span class="n">authorities</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>And we will inject it into Spring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">(</span><span class="nc">UserRepository</span> <span class="n">userRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcUserDetailsService</span><span class="o">(</span><span class="n">userRepository</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>When attempting to access an unauthenticated interface, the user will be directed to the login page and prompted to enter their username and password, as shown below:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7wf34mfuabnw551ls1a.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7wf34mfuabnw551ls1a.png" alt="Image description"></a></p> <p>Users usually need to use multiple platforms provided and hosted by different organizations. These users may need to use specific (and different) credentials for each platform. When users have many different credentials, they often forget their login credentials.</p> <p><strong>Federated authentication</strong> is used to authenticate users using external systems. This can be used with Google, Github or any other identity provider. Here, I will use Github for user authentication and data synchronization management.</p> <h3> Github Identity Authentication </h3> <p>First, we will configure the Github client information, and you only need to change the <strong>clientId</strong> and <strong>clientSecret</strong>. Secondly, we will use the <code>JdbcClientRegistrationRepository</code> persistence layer container class introduced in <a href="https://dev.to/relive27/spring-security-persistent-oauth2-client-1gcc">Spring Security Persistence OAuth2 Client</a> to store the GitHub client information in the database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">ClientRegistrationRepository</span> <span class="nf">clientRegistrationRepository</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">)</span> <span class="o">{</span> <span class="nc">JdbcClientRegistrationRepository</span> <span class="n">jdbcClientRegistrationRepository</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JdbcClientRegistrationRepository</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">);</span> <span class="nc">ClientRegistration</span> <span class="n">clientRegistration</span> <span class="o">=</span> <span class="nc">ClientRegistration</span><span class="o">.</span><span class="na">withRegistrationId</span><span class="o">(</span><span class="s">"github"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"123456"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSecret</span><span class="o">(</span><span class="s">"123456"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethod</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_BASIC</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">AUTHORIZATION_CODE</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"{baseUrl}/{action}/oauth2/code/{registrationId}"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="k">new</span> <span class="nc">String</span><span class="o">[]{</span><span class="s">"read:user"</span><span class="o">})</span> <span class="o">.</span><span class="na">authorizationUri</span><span class="o">(</span><span class="s">"https://github.com/login/oauth/authorize"</span><span class="o">)</span> <span class="o">.</span><span class="na">tokenUri</span><span class="o">(</span><span class="s">"https://github.com/login/oauth/access_token"</span><span class="o">)</span> <span class="o">.</span><span class="na">userInfoUri</span><span class="o">(</span><span class="s">"https://api.github.com/user"</span><span class="o">)</span> <span class="o">.</span><span class="na">userNameAttributeName</span><span class="o">(</span><span class="s">"login"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientName</span><span class="o">(</span><span class="s">"GitHub"</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="n">jdbcClientRegistrationRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">clientRegistration</span><span class="o">);</span> <span class="k">return</span> <span class="n">jdbcClientRegistrationRepository</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>Next, we will instantiate <code>OAuth2AuthorizedClientService</code> and <code>OAuth2AuthorizedClientRepository</code>:</p> <ul> <li> <strong>OAuth2AuthorizedClientService</strong>: responsible for persisting OAuth2AuthorizedClient between web requests.</li> <li> <strong>OAuth2AuthorizedClientRepository</strong>: used to save and persist authorization clients between requests. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="nf">authorizedClientService</span><span class="o">(</span> <span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">,</span> <span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOAuth2AuthorizedClientService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">,</span> <span class="n">clientRegistrationRepository</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="nf">authorizedClientRepository</span><span class="o">(</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="n">authorizedClientService</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">AuthenticatedPrincipalOAuth2AuthorizedClientRepository</span><span class="o">(</span><span class="n">authorizedClientService</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>For each user logging in with Github, we need to assign platform roles to control which resources they can access. Here, we will create the AuthorityMappingOAuth2UserService class to grant user roles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorityMappingOAuth2UserService</span> <span class="kd">implements</span> <span class="nc">OAuth2UserService</span><span class="o">&lt;</span><span class="nc">OAuth2UserRequest</span><span class="o">,</span> <span class="nc">OAuth2User</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">DefaultOAuth2UserService</span> <span class="n">delegate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultOAuth2UserService</span><span class="o">();</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">OAuth2ClientRoleRepository</span> <span class="n">oAuth2ClientRoleRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">OAuth2User</span> <span class="nf">loadUser</span><span class="o">(</span><span class="nc">OAuth2UserRequest</span> <span class="n">userRequest</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">OAuth2AuthenticationException</span> <span class="o">{</span> <span class="nc">DefaultOAuth2User</span> <span class="n">oAuth2User</span> <span class="o">=</span> <span class="o">(</span><span class="nc">DefaultOAuth2User</span><span class="o">)</span> <span class="n">delegate</span><span class="o">.</span><span class="na">loadUser</span><span class="o">(</span><span class="n">userRequest</span><span class="o">);</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">additionalParameters</span> <span class="o">=</span> <span class="n">userRequest</span><span class="o">.</span><span class="na">getAdditionalParameters</span><span class="o">();</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">role</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o">&lt;&gt;();</span> <span class="k">if</span> <span class="o">(</span><span class="n">additionalParameters</span><span class="o">.</span><span class="na">containsKey</span><span class="o">(</span><span class="s">"authority"</span><span class="o">))</span> <span class="o">{</span> <span class="n">role</span><span class="o">.</span><span class="na">addAll</span><span class="o">((</span><span class="nc">Collection</span><span class="o">&lt;?</span> <span class="kd">extends</span> <span class="nc">String</span><span class="o">&gt;)</span> <span class="n">additionalParameters</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"authority"</span><span class="o">));</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">additionalParameters</span><span class="o">.</span><span class="na">containsKey</span><span class="o">(</span><span class="s">"role"</span><span class="o">))</span> <span class="o">{</span> <span class="n">role</span><span class="o">.</span><span class="na">addAll</span><span class="o">((</span><span class="nc">Collection</span><span class="o">&lt;?</span> <span class="kd">extends</span> <span class="nc">String</span><span class="o">&gt;)</span> <span class="n">additionalParameters</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"role"</span><span class="o">));</span> <span class="o">}</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">SimpleGrantedAuthority</span><span class="o">&gt;</span> <span class="n">mappedAuthorities</span> <span class="o">=</span> <span class="n">role</span><span class="o">.</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="n">r</span> <span class="o">-&gt;</span> <span class="n">oAuth2ClientRoleRepository</span><span class="o">.</span><span class="na">findByClientRegistrationIdAndRoleCode</span><span class="o">(</span><span class="n">userRequest</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">().</span><span class="na">getRegistrationId</span><span class="o">(),</span> <span class="n">r</span><span class="o">))</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">OAuth2ClientRole:</span><span class="o">:</span><span class="n">getRole</span><span class="o">).</span><span class="na">map</span><span class="o">(</span><span class="nl">Role:</span><span class="o">:</span><span class="n">getRoleCode</span><span class="o">).</span><span class="na">map</span><span class="o">(</span><span class="nl">SimpleGrantedAuthority:</span><span class="o">:</span><span class="k">new</span><span class="o">)</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">());</span> <span class="c1">//When no client role is specified, the least privilege ROLE_OPERATION is given by default</span> <span class="k">if</span> <span class="o">(</span><span class="nc">CollectionUtils</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">mappedAuthorities</span><span class="o">))</span> <span class="o">{</span> <span class="n">mappedAuthorities</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o">&lt;&gt;(</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="k">new</span> <span class="nc">SimpleGrantedAuthority</span><span class="o">(</span><span class="s">"ROLE_OPERATION"</span><span class="o">)));</span> <span class="o">}</span> <span class="nc">String</span> <span class="n">userNameAttributeName</span> <span class="o">=</span> <span class="n">userRequest</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">().</span><span class="na">getProviderDetails</span><span class="o">().</span><span class="na">getUserInfoEndpoint</span><span class="o">().</span><span class="na">getUserNameAttributeName</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">DefaultOAuth2User</span><span class="o">(</span><span class="n">mappedAuthorities</span><span class="o">,</span> <span class="n">oAuth2User</span><span class="o">.</span><span class="na">getAttributes</span><span class="o">(),</span> <span class="n">userNameAttributeName</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We can see that the permission information is obtained from the authority and role attributes, and the role attributes mapped to this platform are searched through OAuth2ClientRoleRepository.</p> <blockquote> <p>Note: <code>authority</code> and <code>role</code> are custom attributes of the platform, unrelated to the OAuth2 protocol and Open ID Connect protocol. In a production environment, you can negotiate with an external system to agree on an attribute to transmit permission information.</p> <p><code>OAuth2ClientRoleRepository</code> is the persistence layer container class for the <code>oauth2_client_role</code> table, implemented by JPA.</p> </blockquote> <p>For the mapped role information that has not been obtained in advance, we will assign the default <code>ROLE_OPERATION</code> minimum permission role. In this example, users who log in with Github will also be assigned the <code>ROLE_OPERATION</code> role.</p> <p>For users who successfully authenticate with Github and log in for the first time, we will obtain their user information and persist it to the <code>user</code> table. Here, we will implement <code>AuthenticationSuccessHandler</code> and add user persistence logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">SavedUserAuthenticationSuccessHandler</span> <span class="kd">implements</span> <span class="nc">AuthenticationSuccessHandler</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">AuthenticationSuccessHandler</span> <span class="n">delegate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SavedRequestAwareAuthenticationSuccessHandler</span><span class="o">();</span> <span class="kd">private</span> <span class="nc">Consumer</span><span class="o">&lt;</span><span class="nc">OAuth2User</span><span class="o">&gt;</span> <span class="n">oauth2UserHandler</span> <span class="o">=</span> <span class="o">(</span><span class="n">user</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="o">};</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onAuthenticationSuccess</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">authentication</span> <span class="k">instanceof</span> <span class="nc">OAuth2AuthenticationToken</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">authentication</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">()</span> <span class="k">instanceof</span> <span class="nc">OAuth2User</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">oauth2UserHandler</span><span class="o">.</span><span class="na">accept</span><span class="o">((</span><span class="nc">OAuth2User</span><span class="o">)</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">delegate</span><span class="o">.</span><span class="na">onAuthenticationSuccess</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">authentication</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setOauth2UserHandler</span><span class="o">(</span><span class="nc">Consumer</span><span class="o">&lt;</span><span class="nc">OAuth2User</span><span class="o">&gt;</span> <span class="n">oauth2UserHandler</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">oauth2UserHandler</span> <span class="o">=</span> <span class="n">oauth2UserHandler</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We will inject <code>UserRepositoryOAuth2UserHandler</code> into <code>SavedUserAuthenticationSuccessHandler</code> through the <code>setOauth2UserHandler(Consumer&lt;OAuth2User&gt; oauth2UserHandler)</code> method. <code>UserRepositoryOAuth2UserHandler</code> defines specific persistence layer operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Component</span> <span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">UserRepositoryOAuth2UserHandler</span> <span class="kd">implements</span> <span class="nc">Consumer</span><span class="o">&lt;</span><span class="nc">OAuth2User</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">UserRepository</span> <span class="n">userRepository</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">RoleRepository</span> <span class="n">roleRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">accept</span><span class="o">(</span><span class="nc">OAuth2User</span> <span class="n">oAuth2User</span><span class="o">)</span> <span class="o">{</span> <span class="nc">DefaultOAuth2User</span> <span class="n">defaultOAuth2User</span> <span class="o">=</span> <span class="o">(</span><span class="nc">DefaultOAuth2User</span><span class="o">)</span> <span class="n">oAuth2User</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">userRepository</span><span class="o">.</span><span class="na">findUserByUsername</span><span class="o">(</span><span class="n">oAuth2User</span><span class="o">.</span><span class="na">getName</span><span class="o">())</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="nc">User</span> <span class="n">user</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">User</span><span class="o">();</span> <span class="n">user</span><span class="o">.</span><span class="na">setUsername</span><span class="o">(</span><span class="n">defaultOAuth2User</span><span class="o">.</span><span class="na">getName</span><span class="o">());</span> <span class="nc">Role</span> <span class="n">role</span> <span class="o">=</span> <span class="n">roleRepository</span><span class="o">.</span><span class="na">findByRoleCode</span><span class="o">(</span><span class="n">defaultOAuth2User</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">()</span> <span class="o">.</span><span class="na">stream</span><span class="o">().</span><span class="na">map</span><span class="o">(</span><span class="nl">GrantedAuthority:</span><span class="o">:</span><span class="n">getAuthority</span><span class="o">).</span><span class="na">findFirst</span><span class="o">().</span><span class="na">orElse</span><span class="o">(</span><span class="s">"ROLE_OPERATION"</span><span class="o">));</span> <span class="n">user</span><span class="o">.</span><span class="na">setRoleList</span><span class="o">(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">role</span><span class="o">));</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We obtain the role information mapped by <code>defaultOAuth2User.getAuthorities()</code> and store it in the database with the user information.</p> <blockquote> <p>UserRepository and RoleRepository are persistence container classes.</p> </blockquote> <p>Finally, we add OAuth2 Login configuration to SecurityFilterChain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Autowired</span> <span class="nc">UserRepositoryOAuth2UserHandler</span> <span class="n">userHandler</span><span class="o">;</span> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2Login</span><span class="o">(</span><span class="n">oauth2login</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="nc">SavedUserAuthenticationSuccessHandler</span> <span class="n">successHandler</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SavedUserAuthenticationSuccessHandler</span><span class="o">();</span> <span class="n">successHandler</span><span class="o">.</span><span class="na">setOauth2UserHandler</span><span class="o">(</span><span class="n">userHandler</span><span class="o">);</span> <span class="n">oauth2login</span><span class="o">.</span><span class="na">successHandler</span><span class="o">(</span><span class="n">successHandler</span><span class="o">);</span> <span class="o">});</span> <span class="o">...</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <h2> Create a Spring Cloud Gateway application </h2> <p>In this section, we will use <a href="https://docs.spring.io/spring-security/reference/reactive/oauth2/login/index.html" rel="noopener noreferrer">Spring Security OAuth2 Login</a> in Spring Cloud Gateway to enable OpenID Connect authentication and relay Access Token to downstream services.</p> <h3> Maven dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.cloud<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-cloud-starter-gateway<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>3.1.2<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-data-redis<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.session<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-session-data-redis<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.3<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.netty<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>netty-all<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>4.1.76.Final<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>First, we add the following properties to <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8070</span> <span class="na">servlet</span><span class="pi">:</span> <span class="na">session</span><span class="pi">:</span> <span class="na">cookie</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">GATEWAY-CLIENT</span> </code></pre> </div> <p>Here, the cookie name is specified as <code>GATEWAY-CLIENT</code> to avoid conflicts with the authorization service <code>JSESSIONID</code>.</p> <p>Route to the resource server through Spring Cloud Gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">cloud</span><span class="pi">:</span> <span class="na">gateway</span><span class="pi">:</span> <span class="na">discovery</span><span class="pi">:</span> <span class="na">locator</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">resource-server</span> <span class="na">uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8090</span> <span class="na">predicates</span><span class="pi">:</span> <span class="s">Path=/resource/**</span> <span class="na">filters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">TokenRelay</span> </code></pre> </div> <p>The TokenRelay filter extracts the access token stored in the user session and adds it as an Authorization header to the outgoing request. This allows downstream services to authenticate requests.</p> <p>We will add OAuth2 client information in <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">messaging-gateway-oidc</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">gateway-client-provider</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">authorization_code</span> <span class="na">redirect-uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{baseUrl}/login/oauth2/code/{registrationId}"</span> <span class="na">scope</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openid</span> <span class="pi">-</span> <span class="s">profile</span> <span class="na">client-name</span><span class="pi">:</span> <span class="s">messaging-gateway-oidc</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">gateway-client-provider</span><span class="pi">:</span> <span class="na">authorization-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/authorize</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/token</span> <span class="na">jwk-set-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/jwks</span> <span class="na">user-info-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/userinfo</span> <span class="na">user-name-attribute</span><span class="pi">:</span> <span class="s">sub</span> </code></pre> </div> <p>OpenID Connect uses a special scope value <code>openid</code> to control access to the UserInfo endpoint, and other information is consistent with the client registration information parameters of the authorization service in the previous section.</p> <p>Spring Security intercepts unauthenticated requests and performs authentication on the authorization server. For simplicity, <a href="https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html" rel="noopener noreferrer">CSRF</a> is disabled.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="nd">@EnableWebFluxSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OAuth2LoginSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityWebFilterChain</span> <span class="nf">securityWebFilterChain</span><span class="o">(</span><span class="nc">ServerHttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeExchange</span><span class="o">(</span><span class="n">authorize</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyExchange</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2Login</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">cors</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>After completing OpenID Connect authentication in Spring Cloud Gateway, the user information and token are stored in the session, so we add <code>spring-session-data-redis</code> to provide Redis-supported distributed session functionality and add the following configuration in <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">session</span><span class="pi">:</span> <span class="na">store-type</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">flush-mode</span><span class="pi">:</span> <span class="s">on_save</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">gateway:session</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">port</span><span class="pi">:</span> <span class="m">6379</span> <span class="na">password</span><span class="pi">:</span> <span class="m">123456</span> </code></pre> </div> <p>Based on the above example, we use Spring Cloud Gateway to drive authentication and know how to authenticate users, obtain tokens (after user consent), but do not authenticate/authorize requests through Gateway (Spring Gateway Cloud is not the audience target of Access Token). The reason behind this approach is that some services are protected while others are public. Even in a single service, sometimes only a few endpoints need to be protected, not every endpoint. That's why I leave the request authentication/authorization to specific services.</p> <p>Of course, from the implementation perspective, it does not prevent us from performing authentication/authorization in Spring Cloud Gateway, it is just a matter of choice.</p> <h2> Resource server </h2> <p>In this section, we use Spring Boot to set up a simple resource server. The example provides two API interfaces for the resource server and protects them through Spring Security OAuth2 resource server configuration.</p> <h3> Maven dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-resource-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>Add the <code>jwk-set-uri</code> property in <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">resourceserver</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">issuer-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080</span> <span class="na">jwk-set-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/jwks</span> <span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8090</span> </code></pre> </div> <p>Create the <code>ResourceServerConfig</code> class to configure the Spring Security security module, and use the <code>@EnableMethodSecurity</code> annotation to enable annotation-based security.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="nd">@EnableWebSecurity</span> <span class="nd">@EnableMethodSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ResourceServerConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">()</span> <span class="o">.</span><span class="na">jwt</span><span class="o">();</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Spring Security resource server uses the <code>scope</code> and <code>scp</code> attributes in the claim by default to verify the token and extract permission information.</p> <blockquote> <p>Spring Security <code>JwtAuthenticationProvider</code> extracts permission information and other information through the <code>JwtAuthenticationConverter</code> auxiliary converter.</p> </blockquote> <p>However, in this example, the internal permissions use the authorities attribute, so we use <code>JwtAuthenticationConverter</code> to manually extract permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JwtAuthenticationConverter</span> <span class="nf">jwtAuthenticationConverter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">JwtGrantedAuthoritiesConverter</span> <span class="n">grantedAuthoritiesConverter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JwtGrantedAuthoritiesConverter</span><span class="o">();</span> <span class="n">grantedAuthoritiesConverter</span><span class="o">.</span><span class="na">setAuthoritiesClaimName</span><span class="o">(</span><span class="s">"authorities"</span><span class="o">);</span> <span class="n">grantedAuthoritiesConverter</span><span class="o">.</span><span class="na">setAuthorityPrefix</span><span class="o">(</span><span class="s">""</span><span class="o">);</span> <span class="nc">JwtAuthenticationConverter</span> <span class="n">jwtAuthenticationConverter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JwtAuthenticationConverter</span><span class="o">();</span> <span class="n">jwtAuthenticationConverter</span><span class="o">.</span><span class="na">setJwtGrantedAuthoritiesConverter</span><span class="o">(</span><span class="n">grantedAuthoritiesConverter</span><span class="o">);</span> <span class="k">return</span> <span class="n">jwtAuthenticationConverter</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>Here, we specify the permission attribute as <code>authorities</code> and completely remove the permission prefix.</p> <p>Finally, we will create API interfaces for testing in the example and use <code>@PreAuthorize</code> to protect the interface, which can only be accessed by corresponding permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ArticleController</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">article</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;()</span> <span class="o">{{</span> <span class="n">add</span><span class="o">(</span><span class="s">"article1"</span><span class="o">);</span> <span class="n">add</span><span class="o">(</span><span class="s">"article2"</span><span class="o">);</span> <span class="o">}};</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasAuthority('read')"</span><span class="o">)</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/resource/article/read"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="nf">read</span><span class="o">(</span><span class="nd">@AuthenticationPrincipal</span> <span class="nc">Jwt</span> <span class="n">jwt</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">result</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;(</span><span class="mi">2</span><span class="o">);</span> <span class="n">result</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"principal"</span><span class="o">,</span> <span class="n">jwt</span><span class="o">.</span><span class="na">getClaims</span><span class="o">());</span> <span class="n">result</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"article"</span><span class="o">,</span> <span class="n">article</span><span class="o">);</span> <span class="k">return</span> <span class="n">result</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasAuthority('write')"</span><span class="o">)</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/resource/article/write"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">write</span><span class="o">(</span><span class="nd">@RequestParam</span> <span class="nc">String</span> <span class="n">name</span><span class="o">)</span> <span class="o">{</span> <span class="n">article</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="n">name</span><span class="o">);</span> <span class="k">return</span> <span class="s">"success"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Testing our application </h2> <p>After we have started the service, we access <a href="http://127.0.0.1:8070/resource/article/read" rel="noopener noreferrer">http://127.0.0.1:8070/resource/article/read</a> in the browser and we will be redirected to the authorization service login page as shown below:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhxslndxu5gwx79z4yau.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhxslndxu5gwx79z4yau.png" alt="Image description"></a></p> <p>After we enter the username and password (admin/password), we will get the request response information:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoickgysmhl66ti6rmsd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoickgysmhl66ti6rmsd.png" alt="Image description"></a></p> <p>The role of the admin user is <code>ROLE_ADMIN</code>, so we try to request <a href="http://127.0.0.1:8070/resource/article/write?name=article3" rel="noopener noreferrer">http://127.0.0.1:8070/resource/article/write?name=article3</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgr9k5c2gilnuusfnm66h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgr9k5c2gilnuusfnm66h.png" alt="Image description"></a></p> <p>After logging out, we also access <a href="http://127.0.0.1:8070/resource/article/read" rel="noopener noreferrer">http://127.0.0.1:8070/resource/article/read</a>, but this time we use Github login, and the response information is as shown below:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4g0cul300spdoaqiz50b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4g0cul300spdoaqiz50b.png" alt="Image description"></a></p> <p>We can see that the response information shows that the user has switched to your Github username.</p> <p>Users who log in with Github are assigned the <code>ROLE_OPERATION</code> role by default, and <code>ROLE_OPERATION</code> does not have access to <a href="http://127.0.0.1:8070/resource/article/write?name=article3" rel="noopener noreferrer">http://127.0.0.1:8070/resource/article/write?name=article3</a>. Let's try to test it:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3q26zrsm2xk50el0kf9z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3q26zrsm2xk50el0kf9z.png" alt="Image description"></a></p> <p>The result shows that our request is rejected, with a 403 status code indicating that we do not have access permissions.</p> <h2> Conclusion </h2> <p>In this article, you learned how to use Spring Cloud Gateway to protect microservices with OAuth2. In the example, the browser cookie only stores the session ID, and the JWT access token is not exposed to the browser but flows internally in the service. This way, we experience the advantages of JWT and also use the cookie-session to compensate for the shortcomings of JWT, such as when we need to implement a forced user logout function.</p> <p>As always, the source code used in this article is available <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/gateway-oauth2-login" rel="noopener noreferrer">on GitHub</a>.</p> <p>Thanks for reading! 😊</p> java security oauth2 springsecurity Spring Security and OpenID Connect ReLive27 Sun, 19 Mar 2023 13:55:05 +0000 https://dev.to/relive27/spring-security-and-openid-connect-k9p https://dev.to/relive27/spring-security-and-openid-connect-k9p <h2> Overview </h2> <p>OpenID Connect is an open standard published by the OpenID Foundation in February 2014. It defines an interworking way to perform user authentication using OAuth 2.0. OpenID Connect builds directly on OAuth 2.0 and remains compatible with it.</p> <p>When an authorization server supports OIDC, it is sometimes called an Identity Provider (Idp), because it provides information to <strong>client</strong> about the owner of a resource. And the <strong>client</strong> is also referred to as the Relying Party (RP) in the OpenID Connect process.</p> <p>The OpenID Connect flow looks the same as OAuth2. The main difference is that in the authorization request, a specific scope <code>openid</code> is used, while in the obtain token, <strong>the login relying party (RP) receives both an access token and an ID token (signed JWT)</strong>. ID token differ from access token in that ID token are sent to and parsed by the login relying party (RP).</p> <p><strong>In this article you will learn:</strong></p> <ul> <li>Configure the authorization service to support OpenID Connect</li> <li>Custom id token</li> <li>The login relying party implements permission mapping through <code>OAuth2UserService</code> </li> </ul> <p><strong>Prerequisites:</strong></p> <ul> <li>java 8+</li> <li>MySQL</li> </ul> <h2> Use Spring Authorization Server to build identity provider server (IdP) 🚀 </h2> <p>In this section, we will use <a href="https://spring.io/projects/spring-authorization-server" rel="noopener noreferrer">Spring Authorization Server</a> to build an identity provider service, and implement a custom ID token through <code>OAuth2TokenCustomizer</code>.</p> <h3> Maven dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-authorization-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.3.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>First we configure the identity provider service port 8080:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Next we create the <code>AuthorizationServerConfig</code> configuration class, in which we configure OAuth2 and OICD related beans. We first register a client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RegisteredClientRepository</span> <span class="nf">registeredClientRepository</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="nc">RegisteredClient</span><span class="o">.</span><span class="na">withId</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSecret</span><span class="o">(</span><span class="s">"{noop}relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethods</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_POST</span><span class="o">);</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_BASIC</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">AUTHORIZATION_CODE</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">REFRESH_TOKEN</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8070/login/oauth2/code/messaging-client-oidc"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">OPENID</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">PROFILE</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">EMAIL</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSettings</span><span class="o">(</span><span class="nc">ClientSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireAuthorizationConsent</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireProofKey</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">tokenSettings</span><span class="o">(</span><span class="nc">TokenSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">accessTokenFormat</span><span class="o">(</span><span class="nc">OAuth2TokenFormat</span><span class="o">.</span><span class="na">SELF_CONTAINED</span><span class="o">)</span> <span class="o">.</span><span class="na">idTokenSignatureAlgorithm</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">RS256</span><span class="o">)</span> <span class="o">.</span><span class="na">accessTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">refreshTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">reuseRefreshTokens</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryRegisteredClientRepository</span><span class="o">(</span><span class="n">registeredClient</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>The properties we are configuring are:</p> <ul> <li>clientId -- The identity provider will use this to identify which client is trying to access the resource</li> <li>clientSecret -- A secret known to both client and identity provider service, which provides trust between the two</li> <li>clientAuthenticationMethod -- Client authentication method, in our example, we will support basic and post authentication methods</li> <li>authorizationGrantType -- Grant type, support authorization code and refresh token</li> <li>redirectUri -- The redirection URI, which the client will use in the redirection-based flow</li> <li>scope -- This parameter defines the permissions the client may have. In our case, we will have the required <strong>openid</strong> and <strong>profile</strong>, <strong>emali</strong>, to fetch additional identity information</li> </ul> <p>OpenID Connect uses a special permission scope value openid to control access to the UserInfo endpoint. OpenID Connect defines a set of standardized OAuth2 permission scopes, corresponding to the subset of user attributes profile, email, phone, address, see the table:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>scope of authority</th> <th>statement</th> </tr> </thead> <tbody> <tr> <td><strong>openid</strong></td> <td><strong>sub</strong></td> </tr> <tr> <td>profile</td> <td>Name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at</td> </tr> <tr> <td>email</td> <td>email, email_verified</td> </tr> <tr> <td>address</td> <td>address is a JSON object, contains formatted, street_address, locality, region, postal_code, country</td> </tr> <tr> <td>phone</td> <td>phone_number, phone_number_verified</td> </tr> </tbody> </table></div> <p>Let's define <code>OidcUserInfoService</code> according to the above specification, which is used to extend /userinfo user information endpoint response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">OidcUserInfoService</span> <span class="o">{</span> <span class="kd">public</span> <span class="nc">OidcUserInfo</span> <span class="nf">loadUser</span><span class="o">(</span><span class="nc">String</span> <span class="n">name</span><span class="o">,</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">scopes</span><span class="o">)</span> <span class="o">{</span> <span class="nc">OidcUserInfo</span><span class="o">.</span><span class="na">Builder</span> <span class="n">builder</span> <span class="o">=</span> <span class="nc">OidcUserInfo</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">subject</span><span class="o">(</span><span class="n">name</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="nc">CollectionUtils</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">scopes</span><span class="o">))</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">scopes</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">PROFILE</span><span class="o">))</span> <span class="o">{</span> <span class="n">builder</span><span class="o">.</span><span class="na">name</span><span class="o">(</span><span class="s">"First Last"</span><span class="o">)</span> <span class="o">.</span><span class="na">givenName</span><span class="o">(</span><span class="s">"First"</span><span class="o">)</span> <span class="o">.</span><span class="na">familyName</span><span class="o">(</span><span class="s">"Last"</span><span class="o">)</span> <span class="o">.</span><span class="na">middleName</span><span class="o">(</span><span class="s">"Middle"</span><span class="o">)</span> <span class="o">.</span><span class="na">nickname</span><span class="o">(</span><span class="s">"User"</span><span class="o">)</span> <span class="o">.</span><span class="na">preferredUsername</span><span class="o">(</span><span class="n">name</span><span class="o">)</span> <span class="o">.</span><span class="na">profile</span><span class="o">(</span><span class="s">"http://127.0.0.1:8080/"</span> <span class="o">+</span> <span class="n">name</span><span class="o">)</span> <span class="o">.</span><span class="na">picture</span><span class="o">(</span><span class="s">"http://127.0.0.1:8080/"</span> <span class="o">+</span> <span class="n">name</span> <span class="o">+</span> <span class="s">".jpg"</span><span class="o">)</span> <span class="o">.</span><span class="na">website</span><span class="o">(</span><span class="s">"http://127.0.0.1:8080/"</span><span class="o">)</span> <span class="o">.</span><span class="na">gender</span><span class="o">(</span><span class="s">"female"</span><span class="o">)</span> <span class="o">.</span><span class="na">birthdate</span><span class="o">(</span><span class="s">"2022-05-24"</span><span class="o">)</span> <span class="o">.</span><span class="na">zoneinfo</span><span class="o">(</span><span class="s">"China/Beijing"</span><span class="o">)</span> <span class="o">.</span><span class="na">locale</span><span class="o">(</span><span class="s">"zh-cn"</span><span class="o">)</span> <span class="o">.</span><span class="na">updatedAt</span><span class="o">(</span><span class="nc">LocalDateTime</span><span class="o">.</span><span class="na">now</span><span class="o">().</span><span class="na">format</span><span class="o">(</span><span class="nc">DateTimeFormatter</span><span class="o">.</span><span class="na">ISO_LOCAL_DATE</span><span class="o">));</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">scopes</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">EMAIL</span><span class="o">))</span> <span class="o">{</span> <span class="n">builder</span><span class="o">.</span><span class="na">email</span><span class="o">(</span><span class="n">name</span> <span class="o">+</span> <span class="s">"@outlook.com"</span><span class="o">).</span><span class="na">emailVerified</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">scopes</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">ADDRESS</span><span class="o">))</span> <span class="o">{</span> <span class="nc">JSONObject</span> <span class="n">address</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JSONObject</span><span class="o">();</span> <span class="n">address</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"address"</span><span class="o">,</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">singletonMap</span><span class="o">(</span><span class="s">"formatted"</span><span class="o">,</span> <span class="s">"Champ de Mars\n5 Av. Anatole France\n75007 Paris\nFrance"</span><span class="o">));</span> <span class="n">builder</span><span class="o">.</span><span class="na">address</span><span class="o">(</span><span class="n">address</span><span class="o">.</span><span class="na">toJSONString</span><span class="o">());</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">scopes</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">PHONE</span><span class="o">))</span> <span class="o">{</span> <span class="n">builder</span><span class="o">.</span><span class="na">phoneNumber</span><span class="o">(</span><span class="s">"13028903134"</span><span class="o">).</span><span class="na">phoneNumberVerified</span><span class="o">(</span><span class="s">"false"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="n">builder</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Next, we'll configure a bean to apply default OAuth2 security. Use the above <code>OidcUserInfoService</code> to configure UserInfoMapper in OIDC. oauth2ResourceServer() configures the resource server to use JWT authentication to secure the /userinfo endpoint provided by Spring Security. For unauthenticated requests we redirect it to the /login login page.</p> <blockquote> <p>Note: Sometimes the "authorization server" and "resource server" are the same server.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="nc">Ordered</span><span class="o">.</span><span class="na">HIGHEST_PRECEDENCE</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">authorizationServerSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizationServerConfigurer</span><span class="o">&lt;</span><span class="nc">HttpSecurity</span><span class="o">&gt;</span> <span class="n">authorizationServerConfigurer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2AuthorizationServerConfigurer</span><span class="o">&lt;&gt;();</span> <span class="c1">//custom User Mapper</span> <span class="nc">Function</span><span class="o">&lt;</span><span class="nc">OidcUserInfoAuthenticationContext</span><span class="o">,</span> <span class="nc">OidcUserInfo</span><span class="o">&gt;</span> <span class="n">userInfoMapper</span> <span class="o">=</span> <span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="nc">OidcUserInfoAuthenticationToken</span> <span class="n">authentication</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="na">getAuthentication</span><span class="o">();</span> <span class="nc">JwtAuthenticationToken</span> <span class="n">principal</span> <span class="o">=</span> <span class="o">(</span><span class="nc">JwtAuthenticationToken</span><span class="o">)</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">();</span> <span class="k">return</span> <span class="n">userInfoService</span><span class="o">.</span><span class="na">loadUser</span><span class="o">(</span><span class="n">principal</span><span class="o">.</span><span class="na">getName</span><span class="o">(),</span> <span class="n">context</span><span class="o">.</span><span class="na">getAccessToken</span><span class="o">().</span><span class="na">getScopes</span><span class="o">());</span> <span class="o">};</span> <span class="n">authorizationServerConfigurer</span><span class="o">.</span><span class="na">oidc</span><span class="o">((</span><span class="n">oidc</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">oidc</span><span class="o">.</span><span class="na">userInfoEndpoint</span><span class="o">((</span><span class="n">userInfo</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">userInfo</span><span class="o">.</span><span class="na">userInfoMapper</span><span class="o">(</span><span class="n">userInfoMapper</span><span class="o">));</span> <span class="o">});</span> <span class="nc">RequestMatcher</span> <span class="n">endpointsMatcher</span> <span class="o">=</span> <span class="n">authorizationServerConfigurer</span><span class="o">.</span><span class="na">getEndpointsMatcher</span><span class="o">();</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">requestMatcher</span><span class="o">(</span><span class="n">endpointsMatcher</span><span class="o">).</span><span class="na">authorizeRequests</span><span class="o">((</span><span class="n">authorizeRequests</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="o">((</span><span class="nc">ExpressionUrlAuthorizationConfigurer</span><span class="o">.</span><span class="na">AuthorizedUrl</span><span class="o">)</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">()).</span><span class="na">authenticated</span><span class="o">();</span> <span class="o">}).</span><span class="na">csrf</span><span class="o">((</span><span class="n">csrf</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">csrf</span><span class="o">.</span><span class="na">ignoringRequestMatchers</span><span class="o">(</span><span class="k">new</span> <span class="nc">RequestMatcher</span><span class="o">[]{</span><span class="n">endpointsMatcher</span><span class="o">});</span> <span class="o">}).</span><span class="na">apply</span><span class="o">(</span><span class="n">authorizationServerConfigurer</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="nl">OAuth2ResourceServerConfigurer:</span><span class="o">:</span><span class="n">jwt</span><span class="o">)</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">(</span><span class="n">exceptions</span> <span class="o">-&gt;</span> <span class="n">exceptions</span><span class="o">.</span> <span class="nf">authenticationEntryPoint</span><span class="o">(</span><span class="k">new</span> <span class="nc">LoginUrlAuthenticationEntryPoint</span><span class="o">(</span><span class="s">"/login"</span><span class="o">)))</span> <span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">authorizationServerConfigurer</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Each authorization server needs its signing key for tokens, let's generate a 2048 byte RSA key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JWKSource</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="nf">jwkSource</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RSAKey</span> <span class="n">rsaKey</span> <span class="o">=</span> <span class="nc">Jwks</span><span class="o">.</span><span class="na">generateRsa</span><span class="o">();</span> <span class="nc">JWKSet</span> <span class="n">jwkSet</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JWKSet</span><span class="o">(</span><span class="n">rsaKey</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="n">jwkSelector</span><span class="o">,</span> <span class="n">securityContext</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">jwkSelector</span><span class="o">.</span><span class="na">select</span><span class="o">(</span><span class="n">jwkSet</span><span class="o">);</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">Jwks</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">Jwks</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">RSAKey</span> <span class="nf">generateRsa</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="nc">KeyGeneratorUtils</span><span class="o">.</span><span class="na">generateRsaKey</span><span class="o">();</span> <span class="nc">RSAPublicKey</span> <span class="n">publicKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPublicKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPublic</span><span class="o">();</span> <span class="nc">RSAPrivateKey</span> <span class="n">privateKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPrivateKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPrivate</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">RSAKey</span><span class="o">.</span><span class="na">Builder</span><span class="o">(</span><span class="n">publicKey</span><span class="o">)</span> <span class="o">.</span><span class="na">privateKey</span><span class="o">(</span><span class="n">privateKey</span><span class="o">)</span> <span class="o">.</span><span class="na">keyID</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">KeyGeneratorUtils</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">KeyGeneratorUtils</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">KeyPair</span> <span class="nf">generateRsaKey</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">KeyPairGenerator</span> <span class="n">keyPairGenerator</span> <span class="o">=</span> <span class="nc">KeyPairGenerator</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"RSA"</span><span class="o">);</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">initialize</span><span class="o">(</span><span class="mi">2048</span><span class="o">);</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">generateKeyPair</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="n">ex</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">keyPair</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We will then enable the Spring Web Security module using a configuration class annotated with <code>@EnableWebSecurity</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DefaultSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="c1">//...</span> <span class="o">}</span> </code></pre> </div> <p>Here we use Form authentication, so we also need to provide username and password for login authentication.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">UserDetailsService</span> <span class="nf">users</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserDetails</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">()</span> <span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">)</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryUserDetailsManager</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>We will change the <strong>ID Token</strong> claim and add the user role attribute to pass the role information to the client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">IdTokenCustomizerConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2TokenCustomizer</span><span class="o">&lt;</span><span class="nc">JwtEncodingContext</span><span class="o">&gt;</span> <span class="nf">tokenCustomizer</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="nc">OidcParameterNames</span><span class="o">.</span><span class="na">ID_TOKEN</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">context</span><span class="o">.</span><span class="na">getTokenType</span><span class="o">().</span><span class="na">getValue</span><span class="o">()))</span> <span class="o">{</span> <span class="n">context</span><span class="o">.</span><span class="na">getClaims</span><span class="o">().</span><span class="na">claims</span><span class="o">(</span><span class="n">claims</span> <span class="o">-&gt;</span> <span class="n">claims</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"role"</span><span class="o">,</span> <span class="n">context</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">().</span><span class="na">getAuthorities</span><span class="o">()</span> <span class="o">.</span><span class="na">stream</span><span class="o">().</span><span class="na">map</span><span class="o">(</span><span class="nl">GrantedAuthority:</span><span class="o">:</span><span class="n">getAuthority</span><span class="o">)</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">())));</span> <span class="o">}</span> <span class="o">};</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Relying Party Service (RP) Implementation 🚀 </h2> <p>In this section, we will use Spring Security to build the relying party service, and design the relevant database table structure to express the permission relationship between the associated identity provider service and the relying party service, and implement permission mapping through <code>OAuth2UserService</code>.</p> <p>Part of the code in this section involves JPA-related knowledge. If you don’t understand it, it doesn’t matter. You can replace it with Mybatis.</p> <h3> Maven dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-data-jdbc<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-data-jpa<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-thymeleaf<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>mysql<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>mysql-connector-java<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>8.0.21<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Relevant database table structure </h3> <p>This is the relevant database table used by the RP service in this article, and the SQL statements related to creating tables and initializing data can be obtained from <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oidc-login/rp/src/main/resources/db/migration" rel="noopener noreferrer">here</a>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbveojky95y81vq5uojn9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbveojky95y81vq5uojn9.png" alt="Image description"></a></p> <h3> Configuration </h3> <p>First, we configure the service port and database connection information in the <code>application.yml</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8070</span> <span class="na">servlet</span><span class="pi">:</span> <span class="na">session</span><span class="pi">:</span> <span class="na">cookie</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLIENT-SESSION</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">datasource</span><span class="pi">:</span> <span class="na">druid</span><span class="pi">:</span> <span class="na">db-type</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">driver-class-name</span><span class="pi">:</span> <span class="s">com.mysql.cj.jdbc.Driver</span> <span class="na">url</span><span class="pi">:</span> <span class="s">jdbc:mysql://localhost:3306/oidc_login?createDatabaseIfNotExist=true&amp;useUnicode=true&amp;characterEncoding=UTF-8&amp;useSSL=false&amp;serverTimezone=Asia/Shanghai&amp;allowPublicKeyRetrieval=true</span> <span class="na">username</span><span class="pi">:</span> <span class="s">&lt;&lt;root&gt;&gt;</span> <span class="na">password</span><span class="pi">:</span> <span class="s">&lt;&lt;password&gt;&gt;</span> </code></pre> </div> <p>Next we will enable the Spring Security configuration. Use Form authentication, and use <em>oauth2Login()</em> to define the default configuration of OAuth2 login.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">()</span> <span class="o">.</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">from</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">from</span><span class="o">.</span><span class="na">defaultSuccessUrl</span><span class="o">(</span><span class="s">"/home"</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">oauth2Login</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Next, we will configure the storage method of the OAuth2 client based on the MySql database. You can also learn more about it from the <a href="https://dev.to/relive27/spring-security-persistent-oauth2-client-1gcc">Spring Security Persistent OAuth2 client</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="cm">/** * Define the JDBC client registration repository * * @param jdbcTemplate * @return */</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">ClientRegistrationRepository</span> <span class="nf">clientRegistrationRepository</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcClientRegistrationRepository</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">);</span> <span class="o">}</span> <span class="cm">/** * Responsible for {@link OAuth2AuthorizedClient} persistence between web requests * * @param jdbcTemplate * @param clientRegistrationRepository * @return */</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="nf">authorizedClientService</span><span class="o">(</span> <span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">,</span> <span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOAuth2AuthorizedClientService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">,</span> <span class="n">clientRegistrationRepository</span><span class="o">);</span> <span class="o">}</span> <span class="cm">/** * OAuth2AuthorizedClientRepository is a container class for saving and persisting authorized clients between requests * * @param authorizedClientService * @return */</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="nf">authorizedClientRepository</span><span class="o">(</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="n">authorizedClientService</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">AuthenticatedPrincipalOAuth2AuthorizedClientRepository</span><span class="o">(</span><span class="n">authorizedClientService</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>We are no longer using memory-based username and password. We have added the username and password to the user table when initializing the database, so we need to implement the <code>UserDetailsService</code> interface to obtain user information during Form authentication.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">JdbcUserDetailsService</span> <span class="kd">implements</span> <span class="nc">UserDetailsService</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">UserRepository</span> <span class="n">userRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span> <span class="n">com</span><span class="o">.</span><span class="na">relive</span><span class="o">.</span><span class="na">entity</span><span class="o">.</span><span class="na">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findUserByUsername</span><span class="o">(</span><span class="n">username</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="nc">ObjectUtils</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">user</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UsernameNotFoundException</span><span class="o">(</span><span class="s">"user is not found"</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="nc">CollectionUtils</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getRoleList</span><span class="o">()))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UsernameNotFoundException</span><span class="o">(</span><span class="s">"role is not found"</span><span class="o">);</span> <span class="o">}</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">SimpleGrantedAuthority</span><span class="o">&gt;</span> <span class="n">authorities</span> <span class="o">=</span> <span class="n">user</span><span class="o">.</span><span class="na">getRoleList</span><span class="o">().</span><span class="na">stream</span><span class="o">().</span><span class="na">map</span><span class="o">(</span><span class="nl">Role:</span><span class="o">:</span><span class="n">getRoleCode</span><span class="o">)</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">SimpleGrantedAuthority:</span><span class="o">:</span><span class="k">new</span><span class="o">).</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">());</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">User</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> <span class="n">user</span><span class="o">.</span><span class="na">getPassword</span><span class="o">(),</span> <span class="n">authorities</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Here <code>UserRepository</code> extends <code>JpaRepository</code> and provides database operations for user tables. The detailed code can be obtained from the link at the end of the article.</p> <p>Now we will solve how to map the IdP service user role to the existing role of the RP service. In the previous article, <code>GrantedAuthoritiesMapper</code> was used to map the role. In this article we will use <code>OAuth2UserService</code> to add role mapping strategy, which is more flexible than <code>GrantedAuthoritiesMapper</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">OidcRoleMappingUserService</span> <span class="kd">implements</span> <span class="nc">OAuth2UserService</span><span class="o">&lt;</span><span class="nc">OidcUserRequest</span><span class="o">,</span> <span class="nc">OidcUser</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">OidcUserService</span> <span class="n">oidcUserService</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">OAuth2ClientRoleRepository</span> <span class="n">oAuth2ClientRoleRepository</span><span class="o">;</span> <span class="c1">//...</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">OidcUser</span> <span class="nf">loadUser</span><span class="o">(</span><span class="nc">OidcUserRequest</span> <span class="n">userRequest</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">OAuth2AuthenticationException</span> <span class="o">{</span> <span class="nc">OidcUser</span> <span class="n">oidcUser</span> <span class="o">=</span> <span class="n">oidcUserService</span><span class="o">.</span><span class="na">loadUser</span><span class="o">(</span><span class="n">userRequest</span><span class="o">);</span> <span class="nc">OidcIdToken</span> <span class="n">idToken</span> <span class="o">=</span> <span class="n">userRequest</span><span class="o">.</span><span class="na">getIdToken</span><span class="o">();</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">role</span> <span class="o">=</span> <span class="n">idToken</span><span class="o">.</span><span class="na">getClaimAsStringList</span><span class="o">(</span><span class="s">"role"</span><span class="o">);</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">SimpleGrantedAuthority</span><span class="o">&gt;</span> <span class="n">mappedAuthorities</span> <span class="o">=</span> <span class="n">role</span><span class="o">.</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="n">r</span> <span class="o">-&gt;</span> <span class="n">oAuth2ClientRoleRepository</span><span class="o">.</span><span class="na">findByClientRegistrationIdAndRoleCode</span><span class="o">(</span><span class="n">userRequest</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">().</span><span class="na">getRegistrationId</span><span class="o">(),</span> <span class="n">r</span><span class="o">))</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">OAuth2ClientRole:</span><span class="o">:</span><span class="n">getRole</span><span class="o">).</span><span class="na">map</span><span class="o">(</span><span class="nl">Role:</span><span class="o">:</span><span class="n">getRoleCode</span><span class="o">).</span><span class="na">map</span><span class="o">(</span><span class="nl">SimpleGrantedAuthority:</span><span class="o">:</span><span class="k">new</span><span class="o">)</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">());</span> <span class="n">oidcUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultOidcUser</span><span class="o">(</span><span class="n">mappedAuthorities</span><span class="o">,</span> <span class="n">oidcUser</span><span class="o">.</span><span class="na">getIdToken</span><span class="o">(),</span> <span class="n">oidcUser</span><span class="o">.</span><span class="na">getUserInfo</span><span class="o">());</span> <span class="k">return</span> <span class="n">oidcUser</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Finally, we will create a <code>HomeController</code> to make the test effect more visually significant by controlling the content displayed on the page. We will display different information according to the role and use the <a href="https://www.thymeleaf.org/" rel="noopener noreferrer">thymeleaf</a> template engine to render.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Controller</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HomeController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;&gt;</span> <span class="n">articles</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="kd">static</span> <span class="o">{</span> <span class="n">articles</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"ROLE_OPERATION"</span><span class="o">,</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">"Java"</span><span class="o">));</span> <span class="n">articles</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"ROLE_SYSTEM"</span><span class="o">,</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">"Java"</span><span class="o">,</span> <span class="s">"Python"</span><span class="o">,</span> <span class="s">"C++"</span><span class="o">));</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/home"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">home</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Model</span> <span class="n">model</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">authority</span> <span class="o">=</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">().</span><span class="na">iterator</span><span class="o">().</span><span class="na">next</span><span class="o">().</span><span class="na">getAuthority</span><span class="o">();</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"articles"</span><span class="o">,</span> <span class="n">articles</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">authority</span><span class="o">));</span> <span class="k">return</span> <span class="s">"home"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>After completing the configuration, we can visit <a href="http://127.0.0.1:8070/home" rel="noopener noreferrer">http://127.0.0.1:8070/home</a> for testing.</p> <h2> Conclusion </h2> <p>In this article, Spring Security's support for OpenID Connect is shared. As always, the source code used in this article is available <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oidc-login" rel="noopener noreferrer">on GitHub</a>.</p> <p>Thanks for reading! 😊</p> java security oauth2 springsecurity Spring Security OAuth2 Login ReLive27 Thu, 09 Mar 2023 14:29:39 +0000 https://dev.to/relive27/spring-security-oauth2-login-51lj https://dev.to/relive27/spring-security-oauth2-login-51lj <h2> Overview </h2> <p><strong>OAuth 2.0 is not an authentication protocol</strong>.<br> What is identity authentication? <strong>Authentication</strong> is the solution to the "Who are you?". Authentication tells the app who the current user is and whether they are using the app.In practice, it may also tell you the user's name, email address, mobile phone number, etc.</p> <p>If an extension to OAuth 2.0. Enables messages from authorization servers and protected resources to convey information about users and their authentication context. We can provide the client with all the information for the user to log in securely.<br> The main advantages of this identity authentication method based on the OAuth 2.0 authorization protocol:</p> <ul> <li>The user performs authentication on the authorization server, the end user's original credentials are not passed to the client application through the OAuth 2.0 protocol.</li> <li>Allows users to enforce consent decisions at runtime.</li> <li>The user can also authorize access to other protected APIs along with his identity information. Through a call, the application can know whether the user is logged in, how to call the user, the user's mobile phone number, email address, etc.</li> </ul> <p>In this article, we will use the OAuth 2.0 authorization code mode to securely pass the authorization service user information and log in to the client application.</p> <p>In this article you will learn:</p> <ul> <li>Build basic authorization service and client service.</li> <li>Customize the authorization server access token and add role information.</li> <li>Custom authorization server user info endpoint.</li> <li>The client service uses <code>GrantedAuthoritiesMapper</code> for authorization mapping.</li> <li>Client service custom <code>OAuth2UserService</code> implements parsing multi-layer Json data.</li> </ul> <h2> OAuth2 Authorization Server 🚀 </h2> <p>In this section we will use <a href="https://spring.io/projects/spring-authorization-server" rel="noopener noreferrer">Spring Authorization Server</a> to build an authorization server.In addition, we will also customize the <em>access_token</em> and custom user information endpoints.</p> <h3> Maven dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-authorization-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.3.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>First configure the service port 8080 through <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Next we will create the <code>OAuth2ServerConfig</code> configuration class to define the specific beans needed for the OAuth2 authorization service. First we register an OAuth2 client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RegisteredClientRepository</span> <span class="nf">registeredClientRepository</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="nc">RegisteredClient</span><span class="o">.</span><span class="na">withId</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSecret</span><span class="o">(</span><span class="s">"{noop}relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethods</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_POST</span><span class="o">);</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_BASIC</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">AUTHORIZATION_CODE</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">REFRESH_TOKEN</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8070/login/oauth2/code/messaging-client-authorization-code"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">PROFILE</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSettings</span><span class="o">(</span><span class="nc">ClientSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireAuthorizationConsent</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireProofKey</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">tokenSettings</span><span class="o">(</span><span class="nc">TokenSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">accessTokenFormat</span><span class="o">(</span><span class="nc">OAuth2TokenFormat</span><span class="o">.</span><span class="na">SELF_CONTAINED</span><span class="o">)</span> <span class="o">.</span><span class="na">idTokenSignatureAlgorithm</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">RS256</span><span class="o">)/</span> <span class="o">.</span><span class="na">accessTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">refreshTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">reuseRefreshTokens</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryRegisteredClientRepository</span><span class="o">(</span><span class="n">registeredClient</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>The above stores the OAuth2 client in memory. If you need to use database persistence, please refer to the article <a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">Using JWT with Spring Security OAuth2</a>. Specify the OAuth2 client information as follows:</p> <ul> <li> <strong>clientId</strong>: relive-client</li> <li> <strong>clientSecret</strong>: relive-client</li> <li> <strong>redirectUri</strong>: <a href="http://127.0.0.1:8070/login/oauth2/code/messaging-client-authorization-code" rel="noopener noreferrer">http://127.0.0.1:8070/login/oauth2/code/messaging-client-authorization-code</a> </li> <li> <strong>scope</strong>: profile</li> </ul> <p>Next let's configure other default configurations of the OAuth2 authorization service, and redirect unauthenticated authorization requests to the login page:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="nc">Ordered</span><span class="o">.</span><span class="na">HIGHEST_PRECEDENCE</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">authorizationServerSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizationServerConfiguration</span><span class="o">.</span><span class="na">applyDefaultSecurity</span><span class="o">(</span><span class="n">http</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">(</span><span class="n">exceptions</span> <span class="o">-&gt;</span> <span class="n">exceptions</span><span class="o">.</span> <span class="nf">authenticationEntryPoint</span><span class="o">(</span><span class="k">new</span> <span class="nc">LoginUrlAuthenticationEntryPoint</span><span class="o">(</span><span class="s">"/login"</span><span class="o">)))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>The authorization server token token format uses <a href="https://datatracker.ietf.org/doc/html/rfc7519" rel="noopener noreferrer">JWT RFC 7519</a>, so we need a signing key for the token, let's generate an RSA key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JWKSource</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="nf">jwkSource</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RSAKey</span> <span class="n">rsaKey</span> <span class="o">=</span> <span class="nc">Jwks</span><span class="o">.</span><span class="na">generateRsa</span><span class="o">();</span> <span class="nc">JWKSet</span> <span class="n">jwkSet</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JWKSet</span><span class="o">(</span><span class="n">rsaKey</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="n">jwkSelector</span><span class="o">,</span> <span class="n">securityContext</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">jwkSelector</span><span class="o">.</span><span class="na">select</span><span class="o">(</span><span class="n">jwkSet</span><span class="o">);</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">Jwks</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">Jwks</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">RSAKey</span> <span class="nf">generateRsa</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="nc">KeyGeneratorUtils</span><span class="o">.</span><span class="na">generateRsaKey</span><span class="o">();</span> <span class="nc">RSAPublicKey</span> <span class="n">publicKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPublicKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPublic</span><span class="o">();</span> <span class="nc">RSAPrivateKey</span> <span class="n">privateKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPrivateKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPrivate</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">RSAKey</span><span class="o">.</span><span class="na">Builder</span><span class="o">(</span><span class="n">publicKey</span><span class="o">)</span> <span class="o">.</span><span class="na">privateKey</span><span class="o">(</span><span class="n">privateKey</span><span class="o">)</span> <span class="o">.</span><span class="na">keyID</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">KeyGeneratorUtils</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">KeyGeneratorUtils</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">KeyPair</span> <span class="nf">generateRsaKey</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">KeyPairGenerator</span> <span class="n">keyPairGenerator</span> <span class="o">=</span> <span class="nc">KeyPairGenerator</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"RSA"</span><span class="o">);</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">initialize</span><span class="o">(</span><span class="mi">2048</span><span class="o">);</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">generateKeyPair</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="n">ex</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">keyPair</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Next we will customize the <em>access_token</em> access token and add role information to the token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AccessTokenCustomizerConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2TokenCustomizer</span><span class="o">&lt;</span><span class="nc">JwtEncodingContext</span><span class="o">&gt;</span> <span class="nf">tokenCustomizer</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="nc">OAuth2TokenType</span><span class="o">.</span><span class="na">ACCESS_TOKEN</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">context</span><span class="o">.</span><span class="na">getTokenType</span><span class="o">()))</span> <span class="o">{</span> <span class="n">context</span><span class="o">.</span><span class="na">getClaims</span><span class="o">().</span><span class="na">claims</span><span class="o">(</span><span class="n">claim</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">claim</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"role"</span><span class="o">,</span> <span class="n">context</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">().</span><span class="na">getAuthorities</span><span class="o">().</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">GrantedAuthority:</span><span class="o">:</span><span class="n">getAuthority</span><span class="o">).</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">()));</span> <span class="o">});</span> <span class="o">}</span> <span class="o">};</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>You can see that Spring Security provides us with <code>OAuth2TokenCustomizer</code> for extending token information. We get the current user information from <code>OAuth2TokenContext</code>, and extract the Authorities information from it and add it to the JWT claim.</p> <p>Below we will create a Spring Security configuration class to configure the basic authentication capabilities of the authorization service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DefaultSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/userInfo"</span><span class="o">)</span> <span class="o">.</span><span class="na">access</span><span class="o">(</span><span class="s">"hasAnyAuthority('SCOPE_profile')"</span><span class="o">)</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/userInfo"</span><span class="o">)</span> <span class="o">.</span><span class="na">access</span><span class="o">(</span><span class="s">"hasAuthority('SCOPE_profile')"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="nl">OAuth2ResourceServerConfigurer:</span><span class="o">:</span><span class="n">jwt</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JwtDecoder</span> <span class="nf">jwtDecoder</span><span class="o">(</span><span class="nc">JWKSource</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="n">jwkSource</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">OAuth2AuthorizationServerConfiguration</span><span class="o">.</span><span class="na">jwtDecoder</span><span class="o">(</span><span class="n">jwkSource</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">users</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserDetails</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">()</span> <span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">)</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryUserDetailsManager</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the above configuration class, we did the following things:</p> <ol> <li>Enable Form authentication method;</li> <li>Configure login username and password;</li> <li>Use <code>oauth2ResourceServer()</code> to configure JWT authentication, and declare <code>JwtDecoder</code>;</li> <li>Protecting the /userInfo endpoint requires <em>profile</em> permissions for access;</li> </ol> <p>At this point, we also need to create a Controller class to provide the OAuth2 client service to obtain user information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserInfoController</span> <span class="o">{</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/userInfo"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="nf">getUserInfo</span><span class="o">(</span><span class="nd">@AuthenticationPrincipal</span> <span class="nc">Jwt</span> <span class="n">jwt</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">singletonMap</span><span class="o">(</span><span class="s">"data"</span><span class="o">,</span> <span class="n">jwt</span><span class="o">.</span><span class="na">getClaims</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We return user information in JSON format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="s2">"admin"</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> OAuth2 Client Service 🚀 </h2> <p>This section will use Spring Security to configure OAuth2 client login. And we will use <code>GrantedAuthoritiesMapper</code> to map authority information. And we will create <code>DefaultJsonOAuth2UserService</code> for parsing multi-layer JSON user information data.</p> <h3> Maven dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-thymeleaf<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>First, we specify the client service port number 8070, and configure the OAuth2 client related information. The client information needs to be consistent with the authorization server registration information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8070</span> <span class="na">servlet</span><span class="pi">:</span> <span class="na">session</span><span class="pi">:</span> <span class="na">cookie</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLIENT-SESSION</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">messaging-client-authorization-code</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">client-provider</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">authorization_code</span> <span class="na">redirect-uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{baseUrl}/login/oauth2/code/{registrationId}"</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">profile</span> <span class="na">client-name</span><span class="pi">:</span> <span class="s">messaging-client-authorization-code</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">client-provider</span><span class="pi">:</span> <span class="na">authorization-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/authorize</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/token</span> <span class="na">user-info-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/userInfo</span> <span class="na">user-name-attribute</span><span class="pi">:</span> <span class="s">data.sub</span> <span class="na">user-info-authentication-method</span><span class="pi">:</span> <span class="s">form</span> </code></pre> </div> <p>Next, configure Spring Security related beans. We first enable Form form authentication and OAuth2 login capabilities. Here we specify to redirect to the /home path after successful authentication.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">()</span> <span class="o">.</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">from</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">from</span><span class="o">.</span><span class="na">defaultSuccessUrl</span><span class="o">(</span><span class="s">"/home"</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">oauth2Login</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Below we use <code>GrantedAuthoritiesMapper</code> to map user permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="nc">GrantedAuthoritiesMapper</span> <span class="nf">userAuthoritiesMapper</span><span class="o">()</span> <span class="o">{</span> <span class="c1">//Role mapping relationship, authorization server ADMIN role corresponds to client OPERATION role</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">roleMapping</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="n">roleMapping</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"ROLE_ADMIN"</span><span class="o">,</span> <span class="s">"ROLE_OPERATION"</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="n">authorities</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">GrantedAuthority</span><span class="o">&gt;</span> <span class="n">mappedAuthorities</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o">&lt;&gt;();</span> <span class="n">authorities</span><span class="o">.</span><span class="na">forEach</span><span class="o">(</span><span class="n">authority</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="nc">OAuth2UserAuthority</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">isInstance</span><span class="o">(</span><span class="n">authority</span><span class="o">))</span> <span class="o">{</span> <span class="nc">OAuth2UserAuthority</span> <span class="n">oauth2UserAuthority</span> <span class="o">=</span> <span class="o">(</span><span class="nc">OAuth2UserAuthority</span><span class="o">)</span> <span class="n">authority</span><span class="o">;</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">userAttributes</span> <span class="o">=</span> <span class="n">oauth2UserAuthority</span><span class="o">.</span><span class="na">getAttributes</span><span class="o">();</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">role</span> <span class="o">=</span> <span class="o">(</span><span class="nc">List</span><span class="o">)</span> <span class="n">userAttributes</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"role"</span><span class="o">);</span> <span class="n">role</span><span class="o">.</span><span class="na">stream</span><span class="o">().</span><span class="na">map</span><span class="o">(</span><span class="nl">roleMapping:</span><span class="o">:</span><span class="n">get</span><span class="o">)</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="nl">StringUtils:</span><span class="o">:</span><span class="n">hasText</span><span class="o">)</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">SimpleGrantedAuthority:</span><span class="o">:</span><span class="k">new</span><span class="o">)</span> <span class="o">.</span><span class="na">forEach</span><span class="o">(</span><span class="nl">mappedAuthorities:</span><span class="o">:</span><span class="n">add</span><span class="o">);</span> <span class="o">}</span> <span class="o">});</span> <span class="k">return</span> <span class="n">mappedAuthorities</span><span class="o">;</span> <span class="o">};</span> <span class="o">}</span> </code></pre> </div> <p>The above maps the OAuth2 authorization service <strong>ADMIN</strong> role to the client service <strong>OPERATION</strong> role. Of course, you can also expand to database operations, so you need to maintain the authorization service role and client service role mapping table, which will not be expanded here.</p> <p><code>GrantedAuthoritiesMapper</code> is used as an authority mapper in OAuth2 login, CAS login, SAML and LDAP.</p> <p>The source code of <code>GrantedAuthoritiesMapper</code> in <code>OAuth2LoginAuthenticationProvider</code> is as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">authenticate</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">AuthenticationException</span> <span class="o">{</span> <span class="nc">OAuth2LoginAuthenticationToken</span> <span class="n">loginAuthenticationToken</span> <span class="o">=</span> <span class="o">(</span><span class="nc">OAuth2LoginAuthenticationToken</span><span class="o">)</span> <span class="n">authentication</span><span class="o">;</span> <span class="c1">//...</span> <span class="cm">/* map authorities */</span> <span class="nc">Collection</span><span class="o">&lt;?</span> <span class="kd">extends</span> <span class="nc">GrantedAuthority</span><span class="o">&gt;</span> <span class="n">mappedAuthorities</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">authoritiesMapper</span> <span class="o">.</span><span class="na">mapAuthorities</span><span class="o">(</span><span class="n">oauth2User</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">());</span> <span class="cm">/* map authorities */</span> <span class="nc">OAuth2LoginAuthenticationToken</span> <span class="n">authenticationResult</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2LoginAuthenticationToken</span><span class="o">(</span> <span class="n">loginAuthenticationToken</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">(),</span> <span class="n">loginAuthenticationToken</span><span class="o">.</span><span class="na">getAuthorizationExchange</span><span class="o">(),</span> <span class="n">oauth2User</span><span class="o">,</span> <span class="n">mappedAuthorities</span><span class="o">,</span> <span class="n">accessToken</span><span class="o">,</span> <span class="n">authorizationCodeAuthenticationToken</span><span class="o">.</span><span class="na">getRefreshToken</span><span class="o">());</span> <span class="n">authenticationResult</span><span class="o">.</span><span class="na">setDetails</span><span class="o">(</span><span class="n">loginAuthenticationToken</span><span class="o">.</span><span class="na">getDetails</span><span class="o">());</span> <span class="k">return</span> <span class="n">authenticationResult</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>So when we custom implement <code>GrantedAuthoritiesMapper</code>. After successful OAuth2 login, store the mapped permission information in the authentication information <code>OAuth2LoginAuthenticationToken</code>.</p> <p>Next will implement the <code>OAuth2UserService</code> custom <code>DefaultJsonOAuth2UserService</code> class. Of course Spring Security provides <code>DefaultOAuth2UserService</code>, so why not use it? The reason is simple. First, let us review the format of the authorization server returning user information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="s2">"admin"</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The user information is nested in the <code>data</code> field, and the <code>DefaultOAuth2UserService</code> does not process this format when processing the user information response. The following is a snippet of the <code>DefaultOAuth2UserService</code> source code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="nc">OAuth2User</span> <span class="nf">loadUser</span><span class="o">(</span><span class="nc">OAuth2UserRequest</span> <span class="n">userRequest</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">OAuth2AuthenticationException</span> <span class="o">{</span> <span class="nc">Assert</span><span class="o">.</span><span class="na">notNull</span><span class="o">(</span><span class="n">userRequest</span><span class="o">,</span> <span class="s">"userRequest cannot be null"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="nc">StringUtils</span><span class="o">.</span><span class="na">hasText</span><span class="o">(</span><span class="n">userRequest</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">().</span><span class="na">getProviderDetails</span><span class="o">().</span><span class="na">getUserInfoEndpoint</span><span class="o">().</span><span class="na">getUri</span><span class="o">()))</span> <span class="o">{</span> <span class="nc">OAuth2Error</span> <span class="n">oauth2Error</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2Error</span><span class="o">(</span><span class="s">"missing_user_info_uri"</span><span class="o">,</span> <span class="s">"Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: "</span> <span class="o">+</span> <span class="n">userRequest</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">().</span><span class="na">getRegistrationId</span><span class="o">(),</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span><span class="kc">null</span><span class="o">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">OAuth2AuthenticationException</span><span class="o">(</span><span class="n">oauth2Error</span><span class="o">,</span> <span class="n">oauth2Error</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">userNameAttributeName</span> <span class="o">=</span> <span class="n">userRequest</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">().</span><span class="na">getProviderDetails</span><span class="o">().</span><span class="na">getUserInfoEndpoint</span><span class="o">().</span><span class="na">getUserNameAttributeName</span><span class="o">();</span> <span class="k">if</span> <span class="o">(!</span><span class="nc">StringUtils</span><span class="o">.</span><span class="na">hasText</span><span class="o">(</span><span class="n">userNameAttributeName</span><span class="o">))</span> <span class="o">{</span> <span class="nc">OAuth2Error</span> <span class="n">oauth2Error</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2Error</span><span class="o">(</span><span class="s">"missing_user_name_attribute"</span><span class="o">,</span> <span class="s">"Missing required \"user name\" attribute name in UserInfoEndpoint for Client Registration: "</span> <span class="o">+</span> <span class="n">userRequest</span><span class="o">.</span><span class="na">getClientRegistration</span><span class="o">().</span><span class="na">getRegistrationId</span><span class="o">(),</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span><span class="kc">null</span><span class="o">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">OAuth2AuthenticationException</span><span class="o">(</span><span class="n">oauth2Error</span><span class="o">,</span> <span class="n">oauth2Error</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="nc">RequestEntity</span><span class="o">&lt;?&gt;</span> <span class="n">request</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RequestEntity</span><span class="o">)</span><span class="k">this</span><span class="o">.</span><span class="na">requestEntityConverter</span><span class="o">.</span><span class="na">convert</span><span class="o">(</span><span class="n">userRequest</span><span class="o">);</span> <span class="cm">/* Get user information */</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;&gt;</span> <span class="n">response</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">getResponse</span><span class="o">(</span><span class="n">userRequest</span><span class="o">,</span> <span class="n">request</span><span class="o">);</span> <span class="c1">//Get the response body information directly here. By default, this userAttributes contains relevant user information, and does not parse multi-layer JSON</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">userAttributes</span> <span class="o">=</span> <span class="o">(</span><span class="nc">Map</span><span class="o">)</span><span class="n">response</span><span class="o">.</span><span class="na">getBody</span><span class="o">();</span> <span class="cm">/* Get user information */</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">GrantedAuthority</span><span class="o">&gt;</span> <span class="n">authorities</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LinkedHashSet</span><span class="o">();</span> <span class="n">authorities</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="k">new</span> <span class="nc">OAuth2UserAuthority</span><span class="o">(</span><span class="n">userAttributes</span><span class="o">));</span> <span class="nc">OAuth2AccessToken</span> <span class="n">token</span> <span class="o">=</span> <span class="n">userRequest</span><span class="o">.</span><span class="na">getAccessToken</span><span class="o">();</span> <span class="nc">Iterator</span> <span class="n">var8</span> <span class="o">=</span> <span class="n">token</span><span class="o">.</span><span class="na">getScopes</span><span class="o">().</span><span class="na">iterator</span><span class="o">();</span> <span class="k">while</span><span class="o">(</span><span class="n">var8</span><span class="o">.</span><span class="na">hasNext</span><span class="o">())</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">authority</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span><span class="n">var8</span><span class="o">.</span><span class="na">next</span><span class="o">();</span> <span class="n">authorities</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="k">new</span> <span class="nc">SimpleGrantedAuthority</span><span class="o">(</span><span class="s">"SCOPE_"</span> <span class="o">+</span> <span class="n">authority</span><span class="o">));</span> <span class="o">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">DefaultOAuth2User</span><span class="o">(</span><span class="n">authorities</span><span class="o">,</span> <span class="n">userAttributes</span><span class="o">,</span> <span class="n">userNameAttributeName</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>When the <code>DefaultOAuth2User</code> is finally created, you will get the following error message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Missing attribute 'sub' in attributes </code></pre> </div> <p>Below we use userNameAttributeName with "." as the separator. Extract user information to achieve. The following is the key code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">DefaultJsonOAuth2UserService</span> <span class="kd">implements</span> <span class="nc">OAuth2UserService</span><span class="o">&lt;</span><span class="nc">OAuth2UserRequest</span><span class="o">,</span> <span class="nc">OAuth2User</span><span class="o">&gt;</span> <span class="o">{</span> <span class="c1">//...</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">OAuth2User</span> <span class="nf">loadUser</span><span class="o">(</span><span class="nc">OAuth2UserRequest</span> <span class="n">userRequest</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">OAuth2AuthenticationException</span> <span class="o">{</span> <span class="c1">//...</span> <span class="nc">RequestEntity</span><span class="o">&lt;?&gt;</span> <span class="n">request</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">requestEntityConverter</span><span class="o">.</span><span class="na">convert</span><span class="o">(</span><span class="n">userRequest</span><span class="o">);</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">JsonNode</span><span class="o">&gt;</span> <span class="n">response</span> <span class="o">=</span> <span class="n">getResponse</span><span class="o">(</span><span class="n">userRequest</span><span class="o">,</span> <span class="n">request</span><span class="o">);</span> <span class="nc">JsonNode</span> <span class="n">responseBody</span> <span class="o">=</span> <span class="n">response</span><span class="o">.</span><span class="na">getBody</span><span class="o">();</span> <span class="c1">//Multi-layer JSON extracts user information attributes</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">userAttributes</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="k">if</span> <span class="o">(</span><span class="n">userNameAttributeName</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"."</span><span class="o">))</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">firstNodePath</span> <span class="o">=</span> <span class="n">userNameAttributeName</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="mi">0</span><span class="o">,</span> <span class="n">userNameAttributeName</span><span class="o">.</span><span class="na">lastIndexOf</span><span class="o">(</span><span class="s">"."</span><span class="o">));</span> <span class="n">userAttributes</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">extractUserAttribute</span><span class="o">(</span><span class="n">responseBody</span><span class="o">,</span> <span class="n">firstNodePath</span><span class="o">);</span> <span class="n">userNameAttributeName</span> <span class="o">=</span> <span class="n">userNameAttributeName</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="n">firstNodePath</span><span class="o">.</span><span class="na">length</span><span class="o">()</span> <span class="o">+</span> <span class="mi">1</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">userAttributes</span> <span class="o">=</span> <span class="nc">JsonHelper</span><span class="o">.</span><span class="na">parseMap</span><span class="o">(</span><span class="n">responseBody</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="o">}</span> <span class="c1">//...</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Finally, we create the Controller class and use the <a href="https://www.thymeleaf.org/" rel="noopener noreferrer">thymeleaf</a> template engine to build the home page information. Different permission information sees different results in the home page list.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Controller</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HomeController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;&gt;</span> <span class="n">articles</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="kd">static</span> <span class="o">{</span> <span class="n">articles</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"ROLE_OPERATION"</span><span class="o">,</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">"Java"</span><span class="o">));</span> <span class="n">articles</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"ROLE_SYSTEM"</span><span class="o">,</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">"Java"</span><span class="o">,</span> <span class="s">"Python"</span><span class="o">,</span> <span class="s">"C++"</span><span class="o">));</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/home"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">home</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Model</span> <span class="n">model</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">authority</span> <span class="o">=</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">().</span><span class="na">iterator</span><span class="o">().</span><span class="na">next</span><span class="o">().</span><span class="na">getAuthority</span><span class="o">();</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"articles"</span><span class="o">,</span> <span class="n">articles</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">authority</span><span class="o">));</span> <span class="k">return</span> <span class="s">"home"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Test </h2> <p>After we start the service, visit <a href="http://127.0.0.1:8070/login" rel="noopener noreferrer">http://127.0.0.1:8070/login</a>. After successful login with username, you will see:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi5jn0vvzssu7uvx2mivf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi5jn0vvzssu7uvx2mivf.png" alt="Image description"></a></p> <p>We log out, and log in with OAuth2, you will see different information:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqla0qo6ba55v6rkd5bt8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqla0qo6ba55v6rkd5bt8.png" alt="Image description"></a></p> <h2> Conclusion </h2> <p>It is feasible for us to use the OAuth2.0 authorization protocol to build identity authentication proofs. But we cannot ignore the pitfalls in between.</p> <ol> <li>The token itself does not convey information about the authentication event. Tokens may be issued directly to clients, using the OAuth 2.0 Client Credentials model without user interaction.</li> <li>No client can get information about the user and his login status from the <em>access_token</em>. OAuth 2.0 <em>access_token</em> are intended for resource servers.(In this article, we use the JWT <em>access_token</em> to enable the client service to obtain information such as user permissions by customizing the <em>access_token</em> information. However, the OAuth2.0 protocol does not define the <em>access_token</em> format. We only use the characteristics of JWT to make it happen.)</li> <li>The client can present the <em>access_token</em> to the resource service to obtain user information. So it's easy to think that just having a valid <em>access_token</em> proves that the user is logged in, and this line of thinking is only true in some cases. For example, when a user completes identity authentication on an authorization server and immediately generates an <em>access_token</em>.(Because the <em>access_token</em> validity period may be much longer than the authentication session validity period.)</li> <li>The biggest problem with the user information API in the OAuth2.0 protocol is that different identity providers may have different user information APIs. A user's unique identifier may be "user_id" or "sub".</li> </ol> <p>So we need a unified OAuth2.0 standard identity authentication protocol. OpenID Connect is an open standard that defines an interoperable way to perform user authentication using OAuth 2.0. This will be covered in a follow-up article.</p> <p>As always, the source code used in this article is available on <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-login" rel="noopener noreferrer">GitHub</a>.</p> <p>Thanks for reading! 😘</p> java security oauth2 springsecurity Authorization Code Flow with Proof Key for Code Exchange (PKCE) ReLive27 Fri, 03 Mar 2023 01:25:38 +0000 https://dev.to/relive27/authorization-code-flow-with-proof-key-for-code-exchange-pkce-4h22 https://dev.to/relive27/authorization-code-flow-with-proof-key-for-code-exchange-pkce-4h22 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffs7nxrnoz87989d2hlzm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffs7nxrnoz87989d2hlzm.png" alt=" " width="800" height="582"></a></p> <h2> Overview </h2> <p>OAuth2 divides clients into two types according to whether they can hold the client key: <strong>public clients</strong> and <strong>confidential clients</strong>.</p> <p>The <strong>confidential client</strong> runs on the server, and the application created by Spring Boot in the previous OAuth2 article is an example of a confidential client type. First, they run on servers, often behind firewalls or gateways with other protections.</p> <p>The code of the <strong>public client</strong> is generally exposed to the end user in some form, either downloaded and executed in the browser, or directly run on the user's device. For example, a <strong>native application</strong> is an application that runs directly on the end user's device (computer or mobile device). When this type of application uses the OAuth2 protocol, we cannot guarantee that the client key issued for this application can be stored securely, because these applications will be fully downloaded to the device before running, and decompiling the application will fully reveal the client key.</p> <p>The same security issue exists with <strong>single page applications</strong> (SPA), the browser itself is an insecure environment, once you load a JavaScript application, the browser will download the entire source code in order to run it, the entire source code, including the Any client secrets will be visible. If you build an application with 100,000 users, chances are that some of those users will get malware or a virus and leak client keys.</p> <p>You might be thinking, "What if I obfuscate the client key by splitting it into parts?" This will undeniably buy you some time, but a really determined person might still figure it out.</p> <p>To circumvent this security risk, it is best to use Proof Key for Code Exchange (PKCE).</p> <h2> Proof Key for Code Exchange </h2> <p>PKCE has its own independent <a href="https://tools.ietf.org/html/rfc7636" rel="noopener noreferrer">specification</a>. It enables applications to use the authorization code flow in public clients.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fshr29bqgcvargi5e70n6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fshr29bqgcvargi5e70n6.png" alt=" " width="800" height="690"></a></p> <ol> <li>A user requests a resource on the client side.</li> <li>The client creates and records the secret information named code_verifier, and then the client calculates code_challenge based on code_verifier. Its value can be code_verifier or the SHA-256 hash of code_verifier, but cryptographic hashing should be preferred,because it prevents the authenticator itself from being intercepted.</li> <li>The client sends the code_challenge and optional code_challenge_method (a keyword representing the original text or SHA-256 hash) to the authorization server along with the normal authorization request parameters.</li> <li>The authorization server redirects the user to the login page.</li> <li>The user is authenticated and may see a consent page listing the permissions the authorization server will grant to the client.</li> <li>The authorization server records the code_challenge and code_challenge_method (if any). The authorization server will associate this information with the issued authorization code, and redirect back to the client with the code.</li> <li>After receiving the authorization code, the client carries the previously generated code_verifier to execute the token request.</li> <li>The authorization server calculates the code_challenge based on the code_verifier and checks whether it is consistent with the originally submitted code_challenge.</li> <li>Authorization server sends token to client.</li> <li>The client requests the protected resource using the token.</li> <li>A protected resource returns a resource to the client.</li> </ol> <blockquote> <p>💡 Note: If you don’t want to read till the end, you can view the <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-pkce" rel="noopener noreferrer">source code</a> here.Don’t forget to give a star to the project if you like it!</p> </blockquote> <h2> Use Spring Authorization Server to build an authorization server 🚀 </h2> <p>In this section, we will use <a href="https://spring.io/projects/spring-authorization-server" rel="noopener noreferrer">Spring Authorization Server</a> to build an authorization server and register a client to support PKCE.</p> <h3> Maven </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-authorization-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.3.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>The first is very simple, we will create the <code>application.yml</code> file and specify the authorization server port as 8080:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Afterwards we will create an <code>OAuth2ServerConfig</code> configuration class, and within this class we will create the specific beans required for the OAuth2 authorization service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="nc">Ordered</span><span class="o">.</span><span class="na">HIGHEST_PRECEDENCE</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">authorizationServerSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizationServerConfiguration</span><span class="o">.</span><span class="na">applyDefaultSecurity</span><span class="o">(</span><span class="n">http</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">exceptionHandling</span><span class="o">(</span><span class="n">exceptions</span> <span class="o">-&gt;</span> <span class="n">exceptions</span><span class="o">.</span> <span class="nf">authenticationEntryPoint</span><span class="o">(</span><span class="k">new</span> <span class="nc">LoginUrlAuthenticationEntryPoint</span><span class="o">(</span><span class="s">"/login"</span><span class="o">))).</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RegisteredClientRepository</span> <span class="nf">registeredClientRepository</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="nc">RegisteredClient</span><span class="o">.</span><span class="na">withId</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethods</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">NONE</span><span class="o">);</span><span class="c1">//Client authentication mode is none</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">AUTHORIZATION_CODE</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8070/login/oauth2/code/messaging-client-pkce"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="s">"message.read"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSettings</span><span class="o">(</span><span class="nc">ClientSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireAuthorizationConsent</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireProofKey</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="c1">//Only PKCE is supported</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">tokenSettings</span><span class="o">(</span><span class="nc">TokenSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">accessTokenFormat</span><span class="o">(</span><span class="nc">OAuth2TokenFormat</span><span class="o">.</span><span class="na">SELF_CONTAINED</span><span class="o">)</span> <span class="c1">// Generate JWT token</span> <span class="o">.</span><span class="na">idTokenSignatureAlgorithm</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">RS256</span><span class="o">)</span> <span class="o">.</span><span class="na">accessTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">refreshTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">reuseRefreshTokens</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryRegisteredClientRepository</span><span class="o">(</span><span class="n">registeredClient</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">ProviderSettings</span> <span class="nf">providerSettings</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ProviderSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">issuer</span><span class="o">(</span><span class="s">"http://127.0.0.1:8080"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JWKSource</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="nf">jwkSource</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RSAKey</span> <span class="n">rsaKey</span> <span class="o">=</span> <span class="nc">Jwks</span><span class="o">.</span><span class="na">generateRsa</span><span class="o">();</span> <span class="nc">JWKSet</span> <span class="n">jwkSet</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JWKSet</span><span class="o">(</span><span class="n">rsaKey</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="n">jwkSelector</span><span class="o">,</span> <span class="n">securityContext</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">jwkSelector</span><span class="o">.</span><span class="na">select</span><span class="o">(</span><span class="n">jwkSet</span><span class="o">);</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">Jwks</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">Jwks</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">RSAKey</span> <span class="nf">generateRsa</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="nc">KeyGeneratorUtils</span><span class="o">.</span><span class="na">generateRsaKey</span><span class="o">();</span> <span class="nc">RSAPublicKey</span> <span class="n">publicKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPublicKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPublic</span><span class="o">();</span> <span class="nc">RSAPrivateKey</span> <span class="n">privateKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPrivateKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPrivate</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">RSAKey</span><span class="o">.</span><span class="na">Builder</span><span class="o">(</span><span class="n">publicKey</span><span class="o">)</span> <span class="o">.</span><span class="na">privateKey</span><span class="o">(</span><span class="n">privateKey</span><span class="o">)</span> <span class="o">.</span><span class="na">keyID</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">KeyGeneratorUtils</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">KeyGeneratorUtils</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">KeyPair</span> <span class="nf">generateRsaKey</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">KeyPairGenerator</span> <span class="n">keyPairGenerator</span> <span class="o">=</span> <span class="nc">KeyPairGenerator</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"RSA"</span><span class="o">);</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">initialize</span><span class="o">(</span><span class="mi">2048</span><span class="o">);</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">generateKeyPair</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="n">ex</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">keyPair</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>When creating the <code>RegisteredClient</code> client registration class:</p> <ol> <li>We did not define <code>client_secret</code>.</li> </ol> <p>2.The client authentication mode is specified as none.</p> <p>3.requireProofKey() is set to true, this client only supports PKCE.</p> <p>I will not explain the rest of the configuration here, you can refer to the <a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">previous article</a>.</p> <p>Next, we create a Spring Security configuration class, specify Form form authentication and set username and password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">UserDetailsService</span> <span class="nf">users</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserDetails</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">()</span> <span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">)</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryUserDetailsManager</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">PasswordEncoder</span> <span class="nf">passwordEncoder</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">PasswordEncoderFactories</span><span class="o">.</span><span class="na">createDelegatingPasswordEncoder</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>So far we have configured a simple authorization server. 😀</p> <h2> OAuth2.0 client 🚀 </h2> <p>In this section, we use <a href="https://docs.spring.io/spring-security/reference/servlet/oauth2/client/index.html" rel="noopener noreferrer">Spring Security</a> to create a client that requests authorization from the authorization server through the PKCE authorization code flow, and sends the obtained access_token to the resource service.</p> <h3> Maven </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-webflux<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>5.3.9<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.projectreactor.netty<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>reactor-netty<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.0.9<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>First, we will configure the client information in <code>application.yml</code>, and specify the service port number as 8070:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8070</span> <span class="na">servlet</span><span class="pi">:</span> <span class="na">session</span><span class="pi">:</span> <span class="na">cookie</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLIENT-SESSION</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">messaging-client-pkce</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">client-provider</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">authorization_code</span> <span class="na">client-authentication-method</span><span class="pi">:</span> <span class="s">none</span> <span class="na">redirect-uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://127.0.0.1:8070/login/oauth2/code/{registrationId}"</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">message.read</span> <span class="na">client-name</span><span class="pi">:</span> <span class="s">messaging-client-pkce</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">client-provider</span><span class="pi">:</span> <span class="na">authorization-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/authorize</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/token</span> </code></pre> </div> <p>Next, we create the Spring Security configuration class to enable the OAuth2 client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="c1">//It is convenient for us to test, and the client service does not add authentication</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2Client</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">WebClient</span> <span class="nf">webClient</span><span class="o">(</span><span class="nc">OAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span><span class="o">)</span> <span class="o">{</span> <span class="nc">ServletOAuth2AuthorizedClientExchangeFilterFunction</span> <span class="n">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ServletOAuth2AuthorizedClientExchangeFilterFunction</span><span class="o">(</span><span class="n">authorizedClientManager</span><span class="o">);</span> <span class="k">return</span> <span class="nc">WebClient</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">oauth2Client</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">OAuth2AuthorizedClientManager</span> <span class="nf">authorizedClientManager</span><span class="o">(</span><span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="n">authorizedClientRepository</span><span class="o">)</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizedClientProvider</span> <span class="n">authorizedClientProvider</span> <span class="o">=</span> <span class="nc">OAuth2AuthorizedClientProviderBuilder</span> <span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizationCode</span><span class="o">()</span> <span class="o">.</span><span class="na">refreshToken</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">DefaultOAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultOAuth2AuthorizedClientManager</span><span class="o">(</span><span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="n">authorizedClientRepository</span><span class="o">);</span> <span class="n">authorizedClientManager</span><span class="o">.</span><span class="na">setAuthorizedClientProvider</span><span class="o">(</span><span class="n">authorizedClientProvider</span><span class="o">);</span> <span class="k">return</span> <span class="n">authorizedClientManager</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the above configuration class, we enable the OAuth2 client through <em>oauth2Client(withDefaults())</em>. And create a <code>WebClient</code> instance to perform HTTP requests to the resource server. <code>OAuth2AuthorizedClientManager</code> is a high-level controller class that coordinates OAuth2 authorization code requests, but the authorization code process is not controlled by it. There is no relevant authorized code process logic in <code>AuthorizationCodeOAuth2AuthorizedClientProvider</code> class, for the core interface process for Spring Secrity authorization code mode, I will introduce it in a later article. </p> <p>Going back to the <code>OAuth2AuthorizedClientManager</code> class, we can see that <em>refreshToken()</em> is also specified at the same time, which implements the refresh token logic and will refresh the token after the access_token expires in the process of requesting resource services, the premise is that the refresh_token has not expired, otherwise You will go through the OAuth2 authorization code flow again.</p> <p>Next, we create a Controller class and use WebClient to request resource services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PkceClientController</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebClient</span> <span class="n">webClient</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/client/test"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span> <span class="nf">getArticles</span><span class="o">(</span><span class="nd">@RegisteredOAuth2AuthorizedClient</span><span class="o">(</span><span class="s">"messaging-client-pkce"</span><span class="o">)</span> <span class="nc">OAuth2AuthorizedClient</span> <span class="n">authorizedClient</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">this</span><span class="o">.</span><span class="na">webClient</span> <span class="o">.</span><span class="na">get</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8090/resource/article"</span><span class="o">)</span> <span class="o">.</span><span class="na">attributes</span><span class="o">(</span><span class="n">oauth2AuthorizedClient</span><span class="o">(</span><span class="n">authorizedClient</span><span class="o">))</span> <span class="o">.</span><span class="na">retrieve</span><span class="o">()</span> <span class="o">.</span><span class="na">bodyToMono</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">block</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Resource Server 🚀 </h2> <p>In this section, we will use Spring Security to build a resource server.</p> <h3> Maven </h3> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-resource-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Configuration </h3> <p>Configure the resource server service port 8070 through <code>application.yml</code>, and specify the authorization server jwk uri, which is used to obtain the public key information and verify the token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8090</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">resourceserver</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">jwk-set-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/jwks</span> </code></pre> </div> <p>Next configure the Spring Security configuration class to specify access to protected endpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilter</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/resource/article"</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/resource/article"</span><span class="o">)</span> <span class="o">.</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"SCOPE_message.read"</span><span class="o">)</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="nl">OAuth2ResourceServerConfigurer:</span><span class="o">:</span><span class="n">jwt</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the above configuration class, it is specified that <em>/resource/article</em> must have the message.read permission to access, and the resource service is configured to use JWT authentication.</p> <p>Afterwards we will create the Controller class, creating protected test endpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ArticleRestController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/resource/article"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">article</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">"article1"</span><span class="o">,</span> <span class="s">"article2"</span><span class="o">,</span> <span class="s">"article3"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Access Resource List </h2> <p>After starting all the services, enter <a href="http://127.0.0.1:8070/client/test" rel="noopener noreferrer">http://127.0.0.1:8070/client/test</a> in the browser, after passing the authorization server authentication, you will see the following output information on the page:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="s2">"article1"</span><span class="p">,</span><span class="s2">"article2"</span><span class="p">,</span><span class="s2">"article3"</span><span class="p">]</span><span class="w"> </span></code></pre> </div> <h2> Conclusion </h2> <p>Confidential client-side PKCE has become the default behavior in the current version of Spring Security. PKCE can also be used in secure client authorization code mode.</p> <p>The source code used in this article is available on <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-pkce" rel="noopener noreferrer">GitHub</a>.</p> <p>You might want to read on to the next one:</p> <ul> <li><a href="https://dev.to/relive27/spring-security-oauth2-login-51lj">Spring Security OAuth2 Login</a></li> </ul> <p>Thanks for reading! 😘</p> ai promptengineering debugging discuss Spring Security OAuth2 Client Credentials Grant ReLive27 Tue, 21 Feb 2023 07:15:06 +0000 https://dev.to/relive27/spring-security-oauth2-client-credentials-grant-fj5 https://dev.to/relive27/spring-security-oauth2-client-credentials-grant-fj5 <h3> Overview </h3> <p>What to do when there is no clear resource owner, or the resource owner is indistinguishable to the client? This is a fairly common scenario. For example, when direct communication between backend systems is required. This article will introduce OAuth2.0 client credential authorization.</p> <p>The OAuth2.0 documentation describes client credentials grant:</p> <blockquote> <p>Clients use the client credentials grant type to obtain access tokens outside the context of a user. This is typically used by clients to access resources about themselves, rather than accessing resources about the user.</p> </blockquote> <p>In this article, you'll learn about building OAuth2 client credential grants with Spring Security, allowing services to interoperate securely without authenticated users.</p> <p>OAuth2 client credential authorization is more straightforward than authorization code authorization, and it is usually used for operations such as CRON tasks and other types of backend data processing.</p> <h3> Client credentials grant flow </h3> <p>When an application requests an access token to access other resources, authorization is done using client credentials, not on behalf of the user.</p> <h4> request parameters </h4> <h5> grant_type(required) </h5> <p>The <code>grant_type</code> parameter must be set to <code>client_credentials</code>.</p> <h5> scope(optional) </h5> <p>Your service can support different scopes for client credential grants.</p> <h5> client authentication(required) </h5> <p>The client needs to authenticate this request. Typically, the service will allow additional request parameters <code>client_id</code> and <code>client_secret</code>, or accept the client ID and secret in the HTTP Basic auth header.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5gnmltvf1ytbw7vzcvxx.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5gnmltvf1ytbw7vzcvxx.png" alt="Image description"></a></p> <blockquote> <p>💡 Note: If you don’t want to read till the end, you can view the <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-client-model" rel="noopener noreferrer">source code</a> here.Don’t forget to give a star to the project if you like it!</p> </blockquote> <h3> OAuth2 authorization server </h3> <p>Here we use <a href="https://spring.io/projects/spring-authorization-server#learn" rel="noopener noreferrer">Spring Authorization Server</a> to build an OAuth2 authorization server. I won't repeat the details here. You can refer to the article <a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">Using JWT with Spring Security OAuth2</a> to build an authorization server. Here only the difference from the previous authorization code grant process authorization service configuration is described.</p> <h4> Configuration </h4> <p>When we create a client using the <em>RegisteredClient</em> builder type, we will configure the client to support client credential authorization and simply store it in memory.</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RegisteredClientRepository</span> <span class="nf">registeredClientRepository</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="nc">RegisteredClient</span><span class="o">.</span><span class="na">withId</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSecret</span><span class="o">(</span><span class="s">"{noop}relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethods</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_POST</span><span class="o">);</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_BASIC</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">CLIENT_CREDENTIALS</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8070/login/oauth2/code/messaging-client-model"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="s">"message.read"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSettings</span><span class="o">(</span><span class="nc">ClientSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireAuthorizationConsent</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireProofKey</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">tokenSettings</span><span class="o">(</span><span class="nc">TokenSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">accessTokenFormat</span><span class="o">(</span><span class="nc">OAuth2TokenFormat</span><span class="o">.</span><span class="na">SELF_CONTAINED</span><span class="o">)</span> <span class="o">.</span><span class="na">idTokenSignatureAlgorithm</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">RS256</span><span class="o">)</span> <span class="o">.</span><span class="na">accessTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">refreshTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">reuseRefreshTokens</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryRegisteredClientRepository</span><span class="o">(</span><span class="n">registeredClient</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Above we configured an OAuth2 client and specified <strong>authorizationGrantType</strong> as <strong>client_credentials</strong>:</p> <ul> <li> <strong>clientId</strong>: relive-client</li> <li> <strong>clientSecret</strong>: relive-client</li> <li> <strong>redirectUri</strong>: <a href="http://127.0.0.1:8070/login/oauth2/code/messaging-client-model" rel="noopener noreferrer">http://127.0.0.1:8070/login/oauth2/code/messaging-client-model</a> </li> <li> <strong>scope</strong>: message.read</li> </ul> <h3> Build an OAuth2 resource server with Spring Security </h3> <p>The OAuth2 resource server configuration is consistent with the resource service set-up in this article <a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">Using JWT with Spring Security OAuth2</a>, you can refer to the introduction of OAuth2 resource service in this article, or obtain the source code address of this article at the end of the article to view.</p> <h4> Configuration </h4> <p>The OAuth2 resource server provides a <em>/resource/article</em> protected endpoint and uses Spring Security to secure this service.</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/resource/article"</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/resource/article"</span><span class="o">)</span> <span class="o">.</span><span class="na">access</span><span class="o">(</span><span class="s">"hasAuthority('SCOPE_message.read')"</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="nl">OAuth2ResourceServerConfigurer:</span><span class="o">:</span><span class="n">jwt</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Please note that the OAuth2 resource service <em>/resource/article</em> endpoint requires "message.read" permission to access, Spring Security will add "SCOPE_" before the required scope name, so the actual required scope is "message.read" and Not "SCOPE_message.read".</p> <h3> Build an OAuth2 client with Spring Security </h3> <p>In this section, you will request resource services using the currently recommended WebClient, which is part of Spring's WebFlux package. This is Spring's reactive, non-blocking API, and you can read more about it in the <a href="https://docs.spring.io/spring-framework/docs/current/reference/html/web-reactive.html" rel="noopener noreferrer">Spring Documentation</a>.</p> <p>Under the CRON task defined by <code>@Scheduled</code> this annotation, you will use <code>WebClient</code> to make requests.</p> <h4> Maven dependencies </h4> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-webflux<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>5.3.9<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.projectreactor.netty<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>reactor-netty<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.0.9<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h4> Configuration </h4> <p>We will configure OAuth2 authorization information in <code>application.yml</code> and specify the OAuth2 client service port number:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8070</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">messaging-client-model</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">client-provider</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">client_credentials</span> <span class="na">client-authentication-method</span><span class="pi">:</span> <span class="s">client_secret_post</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">message.read</span> <span class="na">client-name</span><span class="pi">:</span> <span class="s">messaging-client-model</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">client-provider</span><span class="pi">:</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/token</span> </code></pre> </div> <p>Next we will create a <code>SecurityConfig</code> class to configure the beans required by the Spring Security OAuth2 client:</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2Client</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">WebClient</span> <span class="nf">webClient</span><span class="o">(</span><span class="nc">OAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span><span class="o">)</span> <span class="o">{</span> <span class="nc">ServletOAuth2AuthorizedClientExchangeFilterFunction</span> <span class="n">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ServletOAuth2AuthorizedClientExchangeFilterFunction</span><span class="o">(</span><span class="n">authorizedClientManager</span><span class="o">);</span> <span class="k">return</span> <span class="nc">WebClient</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">oauth2Client</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">OAuth2AuthorizedClientManager</span> <span class="nf">authorizedClientManager</span><span class="o">(</span><span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="n">authorizedClientService</span><span class="o">)</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizedClientProvider</span> <span class="n">authorizedClientProvider</span> <span class="o">=</span> <span class="nc">OAuth2AuthorizedClientProviderBuilder</span> <span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">clientCredentials</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">AuthorizedClientServiceOAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AuthorizedClientServiceOAuth2AuthorizedClientManager</span><span class="o">(</span><span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="n">authorizedClientService</span><span class="o">);</span> <span class="n">authorizedClientManager</span><span class="o">.</span><span class="na">setAuthorizedClientProvider</span><span class="o">(</span><span class="n">authorizedClientProvider</span><span class="o">);</span> <span class="k">return</span> <span class="n">authorizedClientManager</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>We create a WebClient instance to perform HTTP requests to the resource server, and add an OAuth2 authorization filter to the WebClient. <code>AuthorizedClientServiceOAuth2AuthorizedClientManager</code> This is the high-level controller class that coordinates OAuth2 client credential grant requests, here I will point out that <code>AuthorizedClientServiceOAuth2AuthorizedClientManager</code> is a class specifically designed to be used outside the context of an HttpServletRequest .</p> <p>From the <a href="https://docs.spring.io/spring-security/site/docs/5.4.5/reference/html5/#oauth2Client-authorized-manager-provider" rel="noopener noreferrer">Spring Documentation</a>:</p> <blockquote> <p>The DefaultOAuth2AuthorizedClientManager is intended to be used in the context of an HttpServletRequest. When operating outside the context of an HttpServletRequest, use AuthorizedClientServiceOAuth2AuthorizedClientManager instead.</p> </blockquote> <p>Next we will create a task defined using <code>@Scheduled</code> annotation, and inject WebClient to call resource service request:</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Service</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ArticleJob</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebClient</span> <span class="n">webClient</span><span class="o">;</span> <span class="nd">@Scheduled</span><span class="o">(</span><span class="n">cron</span> <span class="o">=</span> <span class="s">"0/2 * * * * ? "</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">exchange</span><span class="o">()</span> <span class="o">{</span> <span class="nc">List</span> <span class="n">list</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">webClient</span> <span class="o">.</span><span class="na">get</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8090/resource/article"</span><span class="o">)</span> <span class="o">.</span><span class="na">attributes</span><span class="o">(</span><span class="n">clientRegistrationId</span><span class="o">(</span><span class="s">"messaging-client-model"</span><span class="o">))</span> <span class="o">.</span><span class="na">retrieve</span><span class="o">()</span> <span class="o">.</span><span class="na">bodyToMono</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">block</span><span class="o">();</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Call resource server execution result:"</span> <span class="o">+</span> <span class="n">list</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The client service will initiate a request every 2 seconds and print the result on the console.</p> <h3> Conclusion </h3> <p>As always, the source code used in this article is available <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-client-model" rel="noopener noreferrer">on GitHub</a>.</p> <p>You might want to read on to the next one:</p> <ul> <li><a href="https://dev.to/relive27/authorization-code-flow-with-proof-key-for-code-exchange-pkce-4h22">Authorization Code Flow with Proof Key for Code Exchange (PKCE)</a></li> <li><a href="https://dev.to/relive27/spring-security-oauth2-login-51lj">Spring Security OAuth2 Login</a></li> </ul> <p>Thanks for reading!</p> java security oauth2 springsecurity Spring Security Persistent OAuth2 Client ReLive27 Sun, 19 Feb 2023 12:35:28 +0000 https://dev.to/relive27/spring-security-persistent-oauth2-client-1gcc https://dev.to/relive27/spring-security-persistent-oauth2-client-1gcc <p>In <a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">previous article</a>, it is introduced that the client requests authorization from the authorization server (using <a href="https://spring.io/projects/spring-authorization-server#learn">Spring Authorization Server</a>) and accesses the protected resources of the resource server. When creating an OAuth2 client service, the client registration is usually autoloaded from the <code>application.yml</code> file, Spring auto-configuration uses <code>OAuth2ClientProperties</code> to create a <code>ClientRegistration</code> and instantiates a <code>ClientRegistrationRepository</code>.</p> <p>The following Spring auto-configuration <code>OAuth2ClientRegistrationRepositoryConfiguration</code> code is as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span> <span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span> <span class="o">)</span> <span class="nd">@EnableConfigurationProperties</span><span class="o">({</span><span class="nc">OAuth2ClientProperties</span><span class="o">.</span><span class="na">class</span><span class="o">})</span> <span class="nd">@Conditional</span><span class="o">({</span><span class="nc">ClientsConfiguredCondition</span><span class="o">.</span><span class="na">class</span><span class="o">})</span> <span class="kd">class</span> <span class="nc">OAuth2ClientRegistrationRepositoryConfiguration</span> <span class="o">{</span> <span class="nc">OAuth2ClientRegistrationRepositoryConfiguration</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@ConditionalOnMissingBean</span><span class="o">({</span><span class="nc">ClientRegistrationRepository</span><span class="o">.</span><span class="na">class</span><span class="o">})</span> <span class="nc">InMemoryClientRegistrationRepository</span> <span class="nf">clientRegistrationRepository</span><span class="o">(</span><span class="nc">OAuth2ClientProperties</span> <span class="n">properties</span><span class="o">)</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">ClientRegistration</span><span class="o">&gt;</span> <span class="n">registrations</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">(</span><span class="nc">OAuth2ClientPropertiesRegistrationAdapter</span><span class="o">.</span><span class="na">getClientRegistrations</span><span class="o">(</span><span class="n">properties</span><span class="o">).</span><span class="na">values</span><span class="o">());</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryClientRegistrationRepository</span><span class="o">(</span><span class="n">registrations</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>As you can see, <code>ClientRegistrationRepository</code> is implemented by default and only one implementation class is <code>InMemoryClientRegistrationRepository</code>, which stores ClientRegistration in memory, and this method may have certain limitations in a production environment.</p> <p>In this article you will learn how to implement OAuth2 client persistence by extending ClientRegistrationRepository.</p> <blockquote> <p>💡 Note: If you don’t want to read till the end, you can view the <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-persistence-client">source code</a> here.Don’t forget to give a star to the project if you like it!</p> </blockquote> <h3> OAuth2 client service implementation </h3> <p>In this section, you will create a simple OAuth2 client service and store OAuth2 client information through the database, now look at the code!</p> <h4> Maven dependencies </h4> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-data-jdbc<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-webflux<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>5.3.9<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.projectreactor.netty<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>reactor-netty<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.0.9<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>mysql<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>mysql-connector-java<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>8.0.21<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> ... </code></pre> </div> <h4> Configuration </h4> <p>First, let us configure service port information and database connection information through <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8070</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">datasource</span><span class="pi">:</span> <span class="na">druid</span><span class="pi">:</span> <span class="na">db-type</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">driver-class-name</span><span class="pi">:</span> <span class="s">com.mysql.cj.jdbc.Driver</span> <span class="na">url</span><span class="pi">:</span> <span class="s">jdbc:mysql://localhost:3306/persistence_oauth2_client?createDatabaseIfNotExist=true&amp;useUnicode=true&amp;characterEncoding=UTF-8&amp;useSSL=false&amp;serverTimezone=Asia/Shanghai&amp;allowPublicKeyRetrieval=true</span> <span class="na">username</span><span class="pi">:</span> <span class="s">&lt;&lt;username&gt;&gt;</span> <span class="c1"># Remember to change the username</span> <span class="na">password</span><span class="pi">:</span> <span class="s">&lt;&lt;password&gt;&gt;</span> <span class="c1"># Remember to change the password</span> </code></pre> </div> <p>Next, we create a database table based on <code>ClientRegistration</code> to store OAuth2 client information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="nv">`oauth2_registered_client`</span> <span class="p">(</span> <span class="nv">`registration_id`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`client_id`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`client_secret`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`client_authentication_method`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`authorization_grant_type`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`client_name`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`redirect_uri`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`scopes`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`authorization_uri`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`token_uri`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`jwk_set_uri`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`issuer_uri`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`user_info_uri`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`user_info_authentication_method`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`user_name_attribute_name`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">`configuration_metadata`</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">2000</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="p">(</span><span class="nv">`registration_id`</span><span class="p">)</span> <span class="p">)</span> <span class="n">ENGINE</span><span class="o">=</span><span class="n">InnoDB</span> <span class="k">DEFAULT</span> <span class="n">CHARSET</span><span class="o">=</span><span class="n">utf8mb4</span> <span class="k">COLLATE</span><span class="o">=</span><span class="n">utf8mb4_0900_ai_ci</span><span class="p">;</span> </code></pre> </div> <p>Below we implement the <em>JdbcClientRegistrationRepository</em> that <em>ClientRegistrationRepository</em> extends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">JdbcClientRegistrationRepository</span> <span class="kd">implements</span> <span class="nc">ClientRegistrationRepository</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">COLUMN_NAMES</span> <span class="o">=</span> <span class="s">"registration_id,client_id,client_secret,client_authentication_method,authorization_grant_type,client_name,redirect_uri,scopes,authorization_uri,token_uri,jwk_set_uri,issuer_uri,user_info_uri,user_info_authentication_method,user_name_attribute_name,configuration_metadata"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">TABLE_NAME</span> <span class="o">=</span> <span class="s">"oauth2_registered_client"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">LOAD_CLIENT_REGISTERED_SQL</span> <span class="o">=</span> <span class="s">"SELECT "</span> <span class="o">+</span> <span class="no">COLUMN_NAMES</span> <span class="o">+</span> <span class="s">" FROM "</span> <span class="o">+</span> <span class="no">TABLE_NAME</span> <span class="o">+</span> <span class="s">" WHERE "</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">INSERT_CLIENT_REGISTERED_SQL</span> <span class="o">=</span> <span class="s">"INSERT INTO "</span> <span class="o">+</span> <span class="no">TABLE_NAME</span> <span class="o">+</span> <span class="s">"("</span> <span class="o">+</span> <span class="no">COLUMN_NAMES</span> <span class="o">+</span> <span class="s">") VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">UPDATE_CLIENT_REGISTERED_SQL</span> <span class="o">=</span> <span class="s">"UPDATE "</span> <span class="o">+</span> <span class="no">TABLE_NAME</span> <span class="o">+</span> <span class="s">" SET client_id = ?,client_secret = ?,client_authentication_method = ?,authorization_grant_type = ?,client_name = ?,redirect_uri = ?,scopes = ?,authorization_uri = ?,token_uri = ?,jwk_set_uri = ?,issuer_uri = ?,user_info_uri = ?,user_info_authentication_method = ?,user_name_attribute_name = ? WHERE registration_id = ?"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">JdbcOperations</span> <span class="n">jdbcOperations</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">RowMapper</span><span class="o">&lt;</span><span class="nc">ClientRegistration</span><span class="o">&gt;</span> <span class="n">clientRegistrationRowMapper</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">Function</span><span class="o">&lt;</span><span class="nc">ClientRegistration</span><span class="o">,</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">SqlParameterValue</span><span class="o">&gt;&gt;</span> <span class="n">clientRegistrationListParametersMapper</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">JdbcClientRegistrationRepository</span><span class="o">(</span><span class="nc">JdbcOperations</span> <span class="n">jdbcOperations</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Assert</span><span class="o">.</span><span class="na">notNull</span><span class="o">(</span><span class="n">jdbcOperations</span><span class="o">,</span> <span class="s">"JdbcOperations can not be null"</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">jdbcOperations</span> <span class="o">=</span> <span class="n">jdbcOperations</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">clientRegistrationRowMapper</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ClientRegistrationRowMapper</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">clientRegistrationListParametersMapper</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ClientRegistrationParametersMapper</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">ClientRegistration</span> <span class="nf">findByRegistrationId</span><span class="o">(</span><span class="nc">String</span> <span class="n">registrationId</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Assert</span><span class="o">.</span><span class="na">hasText</span><span class="o">(</span><span class="n">registrationId</span><span class="o">,</span> <span class="s">"registrationId cannot be empty"</span><span class="o">);</span> <span class="k">return</span> <span class="k">this</span><span class="o">.</span><span class="na">findBy</span><span class="o">(</span><span class="s">"registration_id = ?"</span><span class="o">,</span> <span class="n">registrationId</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">ClientRegistration</span> <span class="nf">findBy</span><span class="o">(</span><span class="nc">String</span> <span class="n">filter</span><span class="o">,</span> <span class="nc">Object</span><span class="o">...</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">ClientRegistration</span><span class="o">&gt;</span> <span class="n">result</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">jdbcOperations</span><span class="o">.</span><span class="na">query</span><span class="o">(</span><span class="no">LOAD_CLIENT_REGISTERED_SQL</span> <span class="o">+</span> <span class="n">filter</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">clientRegistrationRowMapper</span><span class="o">,</span> <span class="n">args</span><span class="o">);</span> <span class="k">return</span> <span class="o">!</span><span class="n">result</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">()</span> <span class="o">?</span> <span class="n">result</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="mi">0</span><span class="o">)</span> <span class="o">:</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">save</span><span class="o">(</span><span class="nc">ClientRegistration</span> <span class="n">clientRegistration</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Assert</span><span class="o">.</span><span class="na">notNull</span><span class="o">(</span><span class="n">clientRegistration</span><span class="o">,</span> <span class="s">"clientRegistration cannot be null"</span><span class="o">);</span> <span class="nc">ClientRegistration</span> <span class="n">existingClientRegistration</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">findByRegistrationId</span><span class="o">(</span><span class="n">clientRegistration</span><span class="o">.</span><span class="na">getRegistrationId</span><span class="o">());</span> <span class="k">if</span> <span class="o">(</span><span class="n">existingClientRegistration</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">updateRegisteredClient</span><span class="o">(</span><span class="n">clientRegistration</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">insertClientRegistration</span><span class="o">(</span><span class="n">clientRegistration</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">updateRegisteredClient</span><span class="o">(</span><span class="nc">ClientRegistration</span> <span class="n">clientRegistration</span><span class="o">)</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">SqlParameterValue</span><span class="o">&gt;</span> <span class="n">parameterValues</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">clientRegistrationListParametersMapper</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">clientRegistration</span><span class="o">);</span> <span class="nc">PreparedStatementSetter</span> <span class="n">statementSetter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArgumentPreparedStatementSetter</span><span class="o">(</span><span class="n">parameterValues</span><span class="o">.</span><span class="na">toArray</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">jdbcOperations</span><span class="o">.</span><span class="na">update</span><span class="o">(</span><span class="no">UPDATE_CLIENT_REGISTERED_SQL</span><span class="o">,</span> <span class="n">statementSetter</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">insertClientRegistration</span><span class="o">(</span><span class="nc">ClientRegistration</span> <span class="n">clientRegistration</span><span class="o">)</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">SqlParameterValue</span><span class="o">&gt;</span> <span class="n">parameterValues</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">clientRegistrationListParametersMapper</span><span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">clientRegistration</span><span class="o">);</span> <span class="nc">PreparedStatementSetter</span> <span class="n">statementSetter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArgumentPreparedStatementSetter</span><span class="o">(</span><span class="n">parameterValues</span><span class="o">.</span><span class="na">toArray</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">jdbcOperations</span><span class="o">.</span><span class="na">update</span><span class="o">(</span><span class="no">INSERT_CLIENT_REGISTERED_SQL</span><span class="o">,</span> <span class="n">statementSetter</span><span class="o">);</span> <span class="o">}</span> <span class="c1">//...</span> <span class="o">}</span> </code></pre> </div> <p>Afterwards we will create the <code>SecurityConfig</code> security configuration class, in which we will create the specific beans required by the OAuth2 Client. First we will instantiate the above custom <em>JdbcClientRegistrationRepository</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">ClientRegistrationRepository</span> <span class="nf">clientRegistrationRepository</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcClientRegistrationRepository</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p><strong>ClientRegistration</strong>: Indicates a client registered using OAuth 2.0 or OpenID Connect (OIDC). It contains all basic information about the client, such as client ID, client secret, authorization type and various URIs.</p> <p><strong>ClientRegistrationRepository</strong>: This is a repository that contains <em>ClientRegistrations</em> and is responsible for persistence.</p> <p>Next configure the OAuth2AuthorizedClient management class <em>OAuth2AuthorizedClientService</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="nf">authorizedClientService</span><span class="o">(</span> <span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">,</span> <span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOAuth2AuthorizedClientService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">,</span> <span class="n">clientRegistrationRepository</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p><strong>OAuth2AuthorizedClient</strong>: Indicates the authorized client. This is a composite class that contains client registration but adds authentication information.</p> <p><strong>OAuth2AuthorizedClientService</strong>: Responsible for persisting <code>OAuth2AuthorizedClient</code> between web requests.</p> <p>To define <em>JdbcOAuth2AuthorizedClientService</em>, you need to create the required data tables, you can find them in <a href="https://docs.spring.io/spring-security/site/docs/5.4.5/reference/html5/#dbschema-oauth2%20-client">OAuth2 Client Schema</a> to get the table definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">oauth2_authorized_client</span> <span class="p">(</span> <span class="n">client_registration_id</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">principal_name</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">access_token_type</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">access_token_value</span> <span class="nb">blob</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">access_token_issued_at</span> <span class="nb">timestamp</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">access_token_expires_at</span> <span class="nb">timestamp</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">access_token_scopes</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">refresh_token_value</span> <span class="nb">blob</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">refresh_token_issued_at</span> <span class="nb">timestamp</span> <span class="k">DEFAULT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">timestamp</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">client_registration_id</span><span class="p">,</span> <span class="n">principal_name</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Next configure the <em>OAuth2AuthorizedClientRepository</em> container class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="nf">authorizedClientRepository</span><span class="o">(</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="n">authorizedClientService</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">AuthenticatedPrincipalOAuth2AuthorizedClientRepository</span><span class="o">(</span><span class="n">authorizedClientService</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p><strong>OAuth2AuthorizedClientRepository</strong>: is a container class used to save and persist authorized clients between requests. Here, the client is stored in the database through <em>JdbcOAuth2AuthorizedClientService</em>.</p> <p>Next instantiate the manager class that contains the logic for the authorization flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="nc">OAuth2AuthorizedClientManager</span> <span class="nf">authorizedClientManager</span><span class="o">(</span><span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="n">authorizedClientRepository</span><span class="o">)</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizedClientProvider</span> <span class="n">authorizedClientProvider</span> <span class="o">=</span> <span class="nc">OAuth2AuthorizedClientProviderBuilder</span> <span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizationCode</span><span class="o">()</span> <span class="o">.</span><span class="na">refreshToken</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">DefaultOAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultOAuth2AuthorizedClientManager</span><span class="o">(</span><span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="n">authorizedClientRepository</span><span class="o">);</span> <span class="n">authorizedClientManager</span><span class="o">.</span><span class="na">setAuthorizedClientProvider</span><span class="o">(</span><span class="n">authorizedClientProvider</span><span class="o">);</span> <span class="k">return</span> <span class="n">authorizedClientManager</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p><strong>OAuth2AuthorizedClientManager</strong>: is the manager class that contains the logic for handling the authorization process. Most importantly, it uses <code>OAuth2AuthorizedClientProvider</code> to handle the actual request logic for different grant types and OAuth 2.0 providers. It also delegates to <code>OAuth2AuthorizedClientRepository</code> to call success or failure handlers when client authorization succeeds or fails.</p> <p>Now let's create a WebClient instance to perform HTTP requests to the resource server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> @Bean WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) { ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); return WebClient.builder() .apply(oauth2Client.oauth2Configuration()) .build(); } </code></pre> </div> <p>Finally, we'll configure the Spring Security security configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> @Bean SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -&gt; authorizeRequests.anyRequest().authenticated() ) .formLogin(login -&gt; { login.loginPage("/login").permitAll(); }) .oauth2Client(withDefaults()); return http.build(); } </code></pre> </div> <p>Configure all requests here to require authentication and authorization, provide Form form authentication methods, and customize the login template through <a href="https://www.thymeleaf.org/">thymeleaf</a>. The code here is not within the scope of this article, and the following will not Show specific details.</p> <h4> Access resource list </h4> <p>We will create a <em>PersistenceClientController</em> and use WebClient to make an HTTP request to the resource server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PersistenceClientController</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebClient</span> <span class="n">webClient</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/client/test"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">getArticles</span><span class="o">(</span><span class="nd">@RegisteredOAuth2AuthorizedClient</span><span class="o">(</span><span class="s">"messaging-client-authorization-code"</span><span class="o">)</span> <span class="nc">OAuth2AuthorizedClient</span> <span class="n">authorizedClient</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">this</span><span class="o">.</span><span class="na">webClient</span> <span class="o">.</span><span class="na">get</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8090/resource/article"</span><span class="o">)</span> <span class="o">.</span><span class="na">attributes</span><span class="o">(</span><span class="n">oauth2AuthorizedClient</span><span class="o">(</span><span class="n">authorizedClient</span><span class="o">))</span> <span class="o">.</span><span class="na">retrieve</span><span class="o">()</span> <span class="o">.</span><span class="na">bodyToMono</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">block</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In this article, you have seen the implementation method of OAuth2 client service persistence to the database. I will not explain the configuration of other authorization servers and resource servers. If you are interested, you can refer to this article <a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">Combining JWT with Spring Security OAuth2</a>.</p> <h3> Conclusion </h3> <p>As always, the source code used in this article is available <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-persistence-client">on GitHub</a>.</p> <p>You might want to read on to the next one:</p> <ul> <li><a href="https://dev.to/relive27/spring-security-oauth2-client-credentials-grant-fj5">Spring Security OAuth2 Client Credentials Grant</a></li> <li><a href="https://dev.to/relive27/authorization-code-flow-with-proof-key-for-code-exchange-pkce-4h22">Authorization Code Flow with Proof Key for Code Exchange (PKCE)</a></li> <li><a href="https://dev.to/relive27/spring-security-oauth2-login-51lj">Spring Security OAuth2 Login</a></li> </ul> <p>Thanks for reading!</p> java security oauth2 springsecurity Customize the OAuth2 Authorization Consent Page ReLive27 Thu, 16 Feb 2023 03:08:41 +0000 https://dev.to/relive27/customize-the-oauth2-authorization-consent-page-24n6 https://dev.to/relive27/customize-the-oauth2-authorization-consent-page-24n6 <p><a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">In the previous article</a>, we have briefly introduced how to build an authorization server. Next, we will continue to introduce how to customize the OAuth2 authorization consent page.</p> <p>If you can no longer tolerate the ugly default authorization consent page of <a href="https://spring.io/projects/spring-authorization-server#learn" rel="noopener noreferrer">Spring Authorization Server</a>, then you can continue reading this article and gradually create an authorization consent page that satisfies you.</p> <blockquote> <p>💡 Note: If you don’t want to read till the end, you can view the <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-custom-consent-authorizationserver" rel="noopener noreferrer">source code</a> here.Don’t forget to give a star to the project if you like it!</p> </blockquote> <h3> OAuth2 authorization server implementation </h3> <p>Start by creating an authorization server.</p> <h4> Maven dependencies </h4> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-authorization-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.3.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-thymeleaf<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h4> Configuration </h4> <p>First we configure port 8080 for the authorization server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Then we create an <code>AuthorizationServerConfig</code> configuration class, in this class we will create the specific beans required by the OAuth2 authorization server. First specify that we authorize the consent page <em>/oauth2/consent</em> URI to replace the original default implementation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span><span class="o">(</span><span class="n">proxyBeanMethods</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerConfig</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">CUSTOM_CONSENT_PAGE_URI</span> <span class="o">=</span> <span class="s">"/oauth2/consent"</span><span class="o">;</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="nc">Ordered</span><span class="o">.</span><span class="na">HIGHEST_PRECEDENCE</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">authorizationServerSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizationServerConfigurer</span><span class="o">&lt;</span><span class="nc">HttpSecurity</span><span class="o">&gt;</span> <span class="n">authorizationServerConfigurer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2AuthorizationServerConfigurer</span><span class="o">&lt;&gt;();</span> <span class="c1">//define authorization consent page</span> <span class="n">authorizationServerConfigurer</span><span class="o">.</span><span class="na">authorizationEndpoint</span><span class="o">(</span><span class="n">authorizationEndpoint</span> <span class="o">-&gt;</span> <span class="n">authorizationEndpoint</span><span class="o">.</span><span class="na">consentPage</span><span class="o">(</span><span class="no">CUSTOM_CONSENT_PAGE_URI</span><span class="o">));</span> <span class="nc">RequestMatcher</span> <span class="n">endpointsMatcher</span> <span class="o">=</span> <span class="n">authorizationServerConfigurer</span> <span class="o">.</span><span class="na">getEndpointsMatcher</span><span class="o">();</span> <span class="n">http</span><span class="o">.</span><span class="na">requestMatcher</span><span class="o">(</span><span class="n">endpointsMatcher</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="n">csrf</span> <span class="o">-&gt;</span> <span class="n">csrf</span><span class="o">.</span><span class="na">ignoringRequestMatchers</span><span class="o">(</span><span class="n">endpointsMatcher</span><span class="o">))</span> <span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">authorizationServerConfigurer</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">exceptionHandling</span><span class="o">(</span><span class="n">exceptions</span> <span class="o">-&gt;</span> <span class="n">exceptions</span><span class="o">.</span> <span class="nf">authenticationEntryPoint</span><span class="o">(</span><span class="k">new</span> <span class="nc">LoginUrlAuthenticationEntryPoint</span><span class="o">(</span><span class="s">"/login"</span><span class="o">))).</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="c1">//...</span> <span class="o">}</span> </code></pre> </div> <p>Next we create an OAuth2 client using the <em>RegisteredClient</em> builder type and store it in the cache.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RegisteredClientRepository</span> <span class="nf">registeredClientRepository</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="nc">RegisteredClient</span><span class="o">.</span><span class="na">withId</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSecret</span><span class="o">(</span><span class="s">"{noop}relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientName</span><span class="o">(</span><span class="s">"ReLive27"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethods</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_POST</span><span class="o">);</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_BASIC</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">AUTHORIZATION_CODE</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">REFRESH_TOKEN</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">CLIENT_CREDENTIALS</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">PASSWORD</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8070/login/oauth2/code/messaging-client-authorization-code"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="nc">OidcScopes</span><span class="o">.</span><span class="na">PROFILE</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="s">"message.read"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="s">"message.write"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSettings</span><span class="o">(</span><span class="nc">ClientSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireAuthorizationConsent</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireProofKey</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">tokenSettings</span><span class="o">(</span><span class="nc">TokenSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">accessTokenFormat</span><span class="o">(</span><span class="nc">OAuth2TokenFormat</span><span class="o">.</span><span class="na">SELF_CONTAINED</span><span class="o">)</span> <span class="o">.</span><span class="na">idTokenSignatureAlgorithm</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">RS256</span><span class="o">)</span> <span class="o">.</span><span class="na">accessTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">refreshTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">reuseRefreshTokens</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryRegisteredClientRepository</span><span class="o">(</span><span class="n">registeredClient</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>The rest of the configuration will not be described in detail, you can refer to the previous <a href="https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp">Using JWT with Spring Security OAuth2</a> article.</p> <p>Next we will create an authorization page controller and pass the required parameters to the <em>Model</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Controller</span> <span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationConsentController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">RegisteredClientRepository</span> <span class="n">registeredClientRepository</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/oauth2/consent"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">consent</span><span class="o">(</span><span class="nc">Principal</span> <span class="n">principal</span><span class="o">,</span> <span class="nc">Model</span> <span class="n">model</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="nc">OAuth2ParameterNames</span><span class="o">.</span><span class="na">CLIENT_ID</span><span class="o">)</span> <span class="nc">String</span> <span class="n">clientId</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="nc">OAuth2ParameterNames</span><span class="o">.</span><span class="na">SCOPE</span><span class="o">)</span> <span class="nc">String</span> <span class="n">scope</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="nc">OAuth2ParameterNames</span><span class="o">.</span><span class="na">STATE</span><span class="o">)</span> <span class="nc">String</span> <span class="n">state</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">scopesToApprove</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LinkedHashSet</span><span class="o">&lt;&gt;();</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">registeredClientRepository</span><span class="o">.</span><span class="na">findByClientId</span><span class="o">(</span><span class="n">clientId</span><span class="o">);</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">scopes</span> <span class="o">=</span> <span class="n">registeredClient</span><span class="o">.</span><span class="na">getScopes</span><span class="o">();</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">requestedScope</span> <span class="o">:</span> <span class="nc">StringUtils</span><span class="o">.</span><span class="na">delimitedListToStringArray</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="s">" "</span><span class="o">))</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">scopes</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">requestedScope</span><span class="o">))</span> <span class="o">{</span> <span class="n">scopesToApprove</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="n">requestedScope</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"clientId"</span><span class="o">,</span> <span class="n">clientId</span><span class="o">);</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"clientName"</span><span class="o">,</span> <span class="n">registeredClient</span><span class="o">.</span><span class="na">getClientName</span><span class="o">());</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"state"</span><span class="o">,</span> <span class="n">state</span><span class="o">);</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"scopes"</span><span class="o">,</span> <span class="n">withDescription</span><span class="o">(</span><span class="n">scopesToApprove</span><span class="o">));</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"principalName"</span><span class="o">,</span> <span class="n">principal</span><span class="o">.</span><span class="na">getName</span><span class="o">());</span> <span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"redirectUri"</span><span class="o">,</span> <span class="n">registeredClient</span><span class="o">.</span><span class="na">getRedirectUris</span><span class="o">().</span><span class="na">iterator</span><span class="o">().</span><span class="na">next</span><span class="o">());</span> <span class="k">return</span> <span class="s">"consent"</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">ScopeWithDescription</span><span class="o">&gt;</span> <span class="nf">withDescription</span><span class="o">(</span><span class="nc">Set</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">scopes</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">ScopeWithDescription</span><span class="o">&gt;</span> <span class="n">scopeWithDescriptions</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LinkedHashSet</span><span class="o">&lt;&gt;();</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">scope</span> <span class="o">:</span> <span class="n">scopes</span><span class="o">)</span> <span class="o">{</span> <span class="n">scopeWithDescriptions</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="k">new</span> <span class="nc">ScopeWithDescription</span><span class="o">(</span><span class="n">scope</span><span class="o">));</span> <span class="o">}</span> <span class="k">return</span> <span class="n">scopeWithDescriptions</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">ScopeWithDescription</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">DEFAULT_DESCRIPTION</span> <span class="o">=</span> <span class="s">"我们无法提供有关此权限的信息"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">scopeDescriptions</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="kd">static</span> <span class="o">{</span> <span class="n">scopeDescriptions</span><span class="o">.</span><span class="na">put</span><span class="o">(</span> <span class="s">"profile"</span><span class="o">,</span> <span class="s">"验证您的身份"</span> <span class="o">);</span> <span class="n">scopeDescriptions</span><span class="o">.</span><span class="na">put</span><span class="o">(</span> <span class="s">"message.read"</span><span class="o">,</span> <span class="s">"了解您可以访问哪些权限"</span> <span class="o">);</span> <span class="n">scopeDescriptions</span><span class="o">.</span><span class="na">put</span><span class="o">(</span> <span class="s">"message.write"</span><span class="o">,</span> <span class="s">"代表您行事"</span> <span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">scope</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">description</span><span class="o">;</span> <span class="nc">ScopeWithDescription</span><span class="o">(</span><span class="nc">String</span> <span class="n">scope</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">scope</span> <span class="o">=</span> <span class="n">scope</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">description</span> <span class="o">=</span> <span class="n">scopeDescriptions</span><span class="o">.</span><span class="na">getOrDefault</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="no">DEFAULT_DESCRIPTION</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Then let's define the html page, here we use the <a href="https://www.thymeleaf.org/" rel="noopener noreferrer">thymeleaf</a> template engine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"utf-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1, shrink-to-fit=no"</span><span class="nt">&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"</span> <span class="na">integrity=</span><span class="s">"sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z"</span> <span class="na">crossorigin=</span><span class="s">"anonymous"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Custom consent page - Consent required<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">background-color</span><span class="p">:</span> <span class="m">#f6f8fa</span><span class="p">;</span> <span class="p">}</span> <span class="nf">#submit-consent</span> <span class="p">{</span> <span class="nl">width</span><span class="p">:</span> <span class="m">45%</span><span class="p">;</span> <span class="nl">float</span><span class="p">:</span> <span class="nb">right</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="m">40px</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">18px</span><span class="p">;</span> <span class="nl">border-color</span><span class="p">:</span> <span class="m">#cccccc</span><span class="p">;</span> <span class="nl">margin-right</span><span class="p">:</span> <span class="m">3%</span><span class="p">;</span> <span class="p">}</span> <span class="nf">#cancel-consent</span> <span class="p">{</span> <span class="nl">width</span><span class="p">:</span> <span class="m">45%</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="m">40px</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">18px</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span> <span class="no">black</span><span class="p">;</span> <span class="nl">background-color</span><span class="p">:</span> <span class="m">#cccccc</span><span class="p">;</span> <span class="nl">border-color</span><span class="p">:</span> <span class="m">#cccccc</span><span class="p">;</span> <span class="nl">float</span><span class="p">:</span> <span class="nb">left</span><span class="p">;</span> <span class="nl">margin-left</span><span class="p">:</span> <span class="m">3%</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">cancelConsent</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">consent_form</span><span class="p">.</span><span class="nf">reset</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nx">consent_form</span><span class="p">.</span><span class="nf">submit</span><span class="p">();</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"width: 500px;height: 600px;margin: 100px auto"</span><span class="nt">&gt;</span> <span class="nt">&lt;h5</span> <span class="na">style=</span><span class="s">"text-align: center"</span><span class="nt">&gt;&lt;b</span> <span class="na">th:text=</span><span class="s">"${clientName}"</span><span class="nt">&gt;&lt;/b&gt;</span>希望获得以下许可:<span class="nt">&lt;/h5&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"width: 100%;height: 500px;border: #cccccc 1px solid;border-radius: 10px"</span><span class="nt">&gt;</span> <span class="nt">&lt;form</span> <span class="na">name=</span><span class="s">"consent_form"</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">action=</span><span class="s">"/oauth2/authorize"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"client_id"</span> <span class="na">th:value=</span><span class="s">"${clientId}"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"state"</span> <span class="na">th:value=</span><span class="s">"${state}"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">th:each=</span><span class="s">"scope: ${scopes}"</span> <span class="na">class=</span><span class="s">"form-group form-check py-1"</span> <span class="na">style=</span><span class="s">"margin-left: 5%"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">class=</span><span class="s">"form-check-input"</span> <span class="na">type=</span><span class="s">"checkbox"</span> <span class="na">name=</span><span class="s">"scope"</span> <span class="na">th:value=</span><span class="s">"${scope.scope}"</span> <span class="na">th:id=</span><span class="s">"${scope.scope}"</span> <span class="na">checked</span><span class="nt">&gt;</span> <span class="nt">&lt;label</span> <span class="na">class=</span><span class="s">"form-check-label font-weight-bold"</span> <span class="na">th:for=</span><span class="s">"${scope.scope}"</span> <span class="na">th:text=</span><span class="s">"${scope.scope}=='profile'?(${scope.description}+'('+${principalName}+')'):${scope.description}"</span><span class="nt">&gt;&lt;/label&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;hr</span> <span class="na">style=</span><span class="s">"width: 90%"</span><span class="nt">&gt;</span> <span class="nt">&lt;p</span> <span class="na">style=</span><span class="s">"margin-left: 5%"</span><span class="nt">&gt;&lt;b</span> <span class="na">th:text=</span><span class="s">"${clientName}"</span><span class="nt">&gt;&lt;/b&gt;</span>尚未安装在您有权访问的任何账户上。<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;hr</span> <span class="na">style=</span><span class="s">"width: 90%"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"form-group pt-3"</span> <span class="na">style=</span><span class="s">"width: 100%;height: 80px;"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">class=</span><span class="s">"btn btn-primary btn-lg"</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">id=</span><span class="s">"submit-consent"</span><span class="nt">&gt;</span> 授权同意 <span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;button</span> <span class="na">class=</span><span class="s">"btn btn-primary btn-lg"</span> <span class="na">type=</span><span class="s">"button"</span> <span class="na">id=</span><span class="s">"cancel-consent"</span> <span class="na">onclick=</span><span class="s">"cancelConsent();"</span><span class="nt">&gt;</span> 取消 <span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"margin-top: 5px;width: 100%;height: 50px"</span><span class="nt">&gt;</span> <span class="nt">&lt;p</span> <span class="na">style=</span><span class="s">"text-align: center;font-size: 14px"</span><span class="nt">&gt;</span>授权将重定向到<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p</span> <span class="na">style=</span><span class="s">"text-align: center;font-size: 14px"</span><span class="nt">&gt;&lt;b</span> <span class="na">th:text=</span><span class="s">"${redirectUri}"</span><span class="nt">&gt;&lt;/b&gt;&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h4> Access authorization page </h4> <p>After starting the service, we will initiate an authorization request, <a href="http://localhost:8080/oauth2/authorize?response_type=code&amp;client_id=relive-client&amp;scope=message.write%20message.read%20profile&amp;state%20=some-state&amp;redirect_uri=http://127.0.0.1:8070/login/oauth2/code/messaging-client-authorization-code" rel="noopener noreferrer">http://localhost:8080/oauth2/authorize?response_type=code&amp;client_id=relive-client&amp;scope=message.write%20message.read%20profile&amp;state=some-state&amp;redirect_uri=http:// 127.0.0.1:8070/login/oauth2/code/messaging-client-authorization-code</a>, after successful authentication, we can see the following authorized consent page we defined:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3iwt6xti0g4krea38x28.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3iwt6xti0g4krea38x28.png" alt=" " width="623" height="613"></a></p> <h3> Conclusion </h3> <p>As always, the source code used in this article is available <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-custom-consent-authorizationserver" rel="noopener noreferrer">on GitHub</a>.</p> <p>You might want to read on to the next one:</p> <ul> <li><a href="https://dev.to/relive27/spring-security-persistent-oauth2-client-1gcc">Spring Security Persistent OAuth2 Client</a></li> <li><a href="https://dev.to/relive27/spring-security-oauth2-client-credentials-grant-fj5">Spring Security OAuth2 Client Credentials Grant</a></li> <li><a href="https://dev.to/relive27/authorization-code-flow-with-proof-key-for-code-exchange-pkce-4h22">Authorization Code Flow with Proof Key for Code Exchange (PKCE)</a></li> <li><a href="https://dev.to/relive27/spring-security-oauth2-login-51lj">Spring Security OAuth2 Login</a></li> </ul> <p>Thanks for reading!</p> api developers opensource contributorswanted Using JWT with Spring Security OAuth2 ReLive27 Tue, 14 Feb 2023 11:24:31 +0000 https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp https://dev.to/relive27/using-jwt-with-spring-security-oauth2-41jp <h3> Overview </h3> <p>OAuth 2.0 is the industry standard authorization protocol. OAuth 2.0 focuses on simplicity for client developers, while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.</p> <p>The OAuth authorization server is responsible for authenticating users and issuing access tokens containing user data and appropriate access policies.</p> <p>Below we will use <a href="https://spring.io/projects/spring-authorization-server#learn">Spring Authorization Server</a> to build a simple authorization server.</p> <blockquote> <p>💡 Note: If you don’t want to read till the end, you can view the <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-jwt">source code</a> here.Don’t forget to give a star to the project if you like it!</p> </blockquote> <h3> OAuth2 authorization server implementation </h3> <p>Let's start with the OAuth2 authorization server configuration implementation.</p> <h4> Maven dependencies </h4> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-authorization-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.3.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h4> Configuration </h4> <p>First let's configure the database connection information through <code>application.yml</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">application</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">auth-server</span> <span class="na">datasource</span><span class="pi">:</span> <span class="na">druid</span><span class="pi">:</span> <span class="na">db-type</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">driver-class-name</span><span class="pi">:</span> <span class="s">com.mysql.cj.jdbc.Driver</span> <span class="na">url</span><span class="pi">:</span> <span class="s">jdbc:mysql://localhost:3306/integrated_oauth?createDatabaseIfNotExist=true&amp;useUnicode=true&amp;characterEncoding=UTF-8&amp;useSSL=false&amp;serverTimezone=Asia/Shanghai&amp;allowPublicKeyRetrieval=true</span> <span class="na">username</span><span class="pi">:</span> <span class="s">&lt;&lt;username&gt;&gt;</span> <span class="c1"># modify username</span> <span class="na">password</span><span class="pi">:</span> <span class="s">&lt;&lt;password&gt;&gt;</span> <span class="c1"># change Password</span> </code></pre> </div> <p>Then we create an <code>AuthorizationServerConfig</code> configuration class, in this class we will create the specific beans required by the OAuth2 authorization server. The first one will be the client service repository, where we create a client using the <em>RegisteredClient</em> builder type and persist it to the database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RegisteredClientRepository</span> <span class="nf">registeredClientRepository</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">)</span> <span class="o">{</span> <span class="nc">RegisteredClient</span> <span class="n">registeredClient</span> <span class="o">=</span> <span class="nc">RegisteredClient</span><span class="o">.</span><span class="na">withId</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">clientId</span><span class="o">(</span><span class="s">"relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSecret</span><span class="o">(</span><span class="s">"{noop}relive-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientAuthenticationMethods</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_POST</span><span class="o">);</span> <span class="n">s</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">ClientAuthenticationMethod</span><span class="o">.</span><span class="na">CLIENT_SECRET_BASIC</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">AUTHORIZATION_CODE</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">REFRESH_TOKEN</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">CLIENT_CREDENTIALS</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizationGrantType</span><span class="o">(</span><span class="nc">AuthorizationGrantType</span><span class="o">.</span><span class="na">PASSWORD</span><span class="o">)</span> <span class="o">.</span><span class="na">redirectUri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8070/login/oauth2/code/messaging-client-authorization-code"</span><span class="o">)</span> <span class="o">.</span><span class="na">scope</span><span class="o">(</span><span class="s">"message.read"</span><span class="o">)</span> <span class="o">.</span><span class="na">clientSettings</span><span class="o">(</span><span class="nc">ClientSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireAuthorizationConsent</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireProofKey</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">tokenSettings</span><span class="o">(</span><span class="nc">TokenSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">idTokenSignatureAlgorithm</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">RS256</span><span class="o">)</span> <span class="o">.</span><span class="na">accessTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">refreshTokenTimeToLive</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="o">))</span> <span class="o">.</span><span class="na">reuseRefreshTokens</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">JdbcRegisteredClientRepository</span> <span class="n">registeredClientRepository</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JdbcRegisteredClientRepository</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">);</span> <span class="n">registeredClientRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">registeredClient</span><span class="o">);</span> <span class="k">return</span> <span class="n">registeredClientRepository</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>The properties we configure are:</p> <ul> <li>id--RegisteredClient unique id</li> <li>clientId--client identifier</li> <li>clientSecret--client secret</li> <li>clientAuthenticationMethods--the authentication method the client may use. Supported values are <code>client_secret_basic</code>, <code>client_secret_post</code>, <code>private_key_jwt</code>, <code>client_secret_jwt</code>, and <code>none</code> </li> <li>authorizationGrantTypes--the types of grants the client can use. Supported values are <code>authorization_code</code>, <code>client_credentials</code> and <code>refresh_token</code> </li> <li>redirectUris--client has registered redirect URI</li> <li>scopes--The ranges that clients are allowed to request</li> <li><p>clientSettings--client Custom Settings</p></li> <li><p>tokenSettings--custom settings for OAuth2 tokens issued to clients</p></li> </ul> <p>Next let's configure the central component OAuth2AuthorizationService that stores new authorizations and queries existing ones.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizationService</span> <span class="nf">authorizationService</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">,</span> <span class="nc">RegisteredClientRepository</span> <span class="n">registeredClientRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOAuth2AuthorizationService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">,</span> <span class="n">registeredClientRepository</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>For the authorization "consent" of an OAuth2 authorization request, Spring provides <em>OAuth2AuthorizationConsentService</em> components for storing new authorization consents and querying existing authorization consents.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizationConsentService</span> <span class="nf">authorizationConsentService</span><span class="o">(</span><span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">,</span> <span class="nc">RegisteredClientRepository</span> <span class="n">registeredClientRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOAuth2AuthorizationConsentService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">,</span> <span class="n">registeredClientRepository</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Next let's create a bean, configure the OAuth2 authorization service with other default configurations, and use it to redirect the request to the login page for unauthenticated authorization requests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="nc">Ordered</span><span class="o">.</span><span class="na">HIGHEST_PRECEDENCE</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">authorizationServerSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizationServerConfiguration</span><span class="o">.</span><span class="na">applyDefaultSecurity</span><span class="o">(</span><span class="n">http</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">exceptionHandling</span><span class="o">(</span><span class="n">exceptions</span> <span class="o">-&gt;</span> <span class="n">exceptions</span><span class="o">.</span> <span class="nf">authenticationEntryPoint</span><span class="o">(</span><span class="k">new</span> <span class="nc">LoginUrlAuthenticationEntryPoint</span><span class="o">(</span><span class="s">"/login"</span><span class="o">))).</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Every authorization server needs a signing key for tokens, let's generate an RSA key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">final</span> <span class="kd">class</span> <span class="nc">KeyGeneratorUtils</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">KeyGeneratorUtils</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">KeyPair</span> <span class="nf">generateRsaKey</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">KeyPairGenerator</span> <span class="n">keyPairGenerator</span> <span class="o">=</span> <span class="nc">KeyPairGenerator</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"RSA"</span><span class="o">);</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">initialize</span><span class="o">(</span><span class="mi">2048</span><span class="o">);</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="n">keyPairGenerator</span><span class="o">.</span><span class="na">generateKeyPair</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="n">ex</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">keyPair</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">Jwks</span> <span class="o">{</span> <span class="kd">private</span> <span class="nf">Jwks</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">RSAKey</span> <span class="nf">generateRsa</span><span class="o">()</span> <span class="o">{</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="nc">KeyGeneratorUtils</span><span class="o">.</span><span class="na">generateRsaKey</span><span class="o">();</span> <span class="nc">RSAPublicKey</span> <span class="n">publicKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPublicKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPublic</span><span class="o">();</span> <span class="nc">RSAPrivateKey</span> <span class="n">privateKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPrivateKey</span><span class="o">)</span> <span class="n">keyPair</span><span class="o">.</span><span class="na">getPrivate</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">RSAKey</span><span class="o">.</span><span class="na">Builder</span><span class="o">(</span><span class="n">publicKey</span><span class="o">)</span> <span class="o">.</span><span class="na">privateKey</span><span class="o">(</span><span class="n">privateKey</span><span class="o">)</span> <span class="o">.</span><span class="na">keyID</span><span class="o">(</span><span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JWKSource</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="nf">jwkSource</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RSAKey</span> <span class="n">rsaKey</span> <span class="o">=</span> <span class="nc">Jwks</span><span class="o">.</span><span class="na">generateRsa</span><span class="o">();</span> <span class="nc">JWKSet</span> <span class="n">jwkSet</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JWKSet</span><span class="o">(</span><span class="n">rsaKey</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="n">jwkSelector</span><span class="o">,</span> <span class="n">securityContext</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">jwkSelector</span><span class="o">.</span><span class="na">select</span><span class="o">(</span><span class="n">jwkSet</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>After processing the signing key of the token, the authorization server also needs an issuer URL, which we can create through <em>ProviderSettings</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">ProviderSettings</span> <span class="nf">providerSettings</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ProviderSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">issuer</span><span class="o">(</span><span class="s">"http://127.0.0.1:8080"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Finally we will enable the Spring Security security configuration class to secure our service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@EnableWebSecurity</span> <span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DefaultSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">())</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="c1">//...</span> <span class="o">}</span> </code></pre> </div> <p>Here <em>authorizeRequests</em>.<em>anyRequest()</em>.<em>authenticated</em>() makes all requests require authentication and provides Form-based authentication.</p> <p>We also need to define the user information used by the test, the following creates a memory-based user information repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">UserDetailsService</span> <span class="nf">users</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserDetails</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">()</span> <span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">)</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryUserDetailsManager</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <h3> Resource server implementation </h3> <p>Now we will create a resource server, the API interface in the service will only allow requests authenticated by the OAuth2 authorization server.</p> <h4> Maven dependencies </h4> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-resource-server<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h4> Configuration </h4> <p>First let's configure the service port via application.yml.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8090</span> </code></pre> </div> <p>Next, for OAuth2 security configuration, we need to use the issuerUri set by the previous authorization server in <em>ProviderSettings</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nl">spring:</span> <span class="nl">security:</span> <span class="nl">oauth2:</span> <span class="nl">resourceserver:</span> <span class="nl">jwt:</span> <span class="n">issuer</span><span class="o">-</span><span class="nl">uri:</span> <span class="nl">http:</span><span class="c1">//127.0.0.1:8080</span> </code></pre> </div> <p>The resource server will use this Uri to further configure itself, discover the public key of the authorization server, and pass in the JwtDecoder used to verify the JWT. A consequence of this process is that the authorization server must start and receive requests for the resource server to start successfully.</p> <p>If the resource server must be able to start independently of the authorization server, then <code>jwk-set-uri</code> can be provided. This will be our further property to add in the OAuth2 security configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">resourceserver</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">issuer-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080</span> <span class="na">jwk-set-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/jwks</span> </code></pre> </div> <p>Now that we can set up the Spring Security security configuration, every request to the service resource should be authorized and have the appropriate permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ResourceServerConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/resource/test/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/resource/test/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">access</span><span class="o">(</span><span class="s">"hasAuthority('SCOPE_message.read')"</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">()</span> <span class="o">.</span><span class="na">jwt</span><span class="o">();</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Finally, we will create a REST controller that will return the jwt claims information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ResourceServerTestController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/resource/test"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="nf">getArticles</span><span class="o">(</span><span class="nd">@AuthenticationPrincipal</span> <span class="nc">Jwt</span> <span class="n">jwt</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">jwt</span><span class="o">.</span><span class="na">getClaims</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> OAuth2 client </h3> <p>Now we want to create a client, which first requests authorization from the authorization server to obtain an access token, and then accesses the corresponding resource on the resource server.</p> <h4> Maven dependencies </h4> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.6.7<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-webflux<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>5.3.9<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h4> Configuration </h4> <p>First of all, we will configure the client's access port 8070 in <code>application.yml</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8070</span> </code></pre> </div> <p>Next we'll define the configuration properties for the OAuth2 client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">messaging-client-authorization-code</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">client-provider</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">relive-client</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">authorization_code</span> <span class="na">redirect-uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://127.0.0.1:8070/login/oauth2/code/{registrationId}"</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">message.read</span> <span class="na">client-name</span><span class="pi">:</span> <span class="s">messaging-client-authorization-code</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">client-provider</span><span class="pi">:</span> <span class="na">authorization-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/authorize</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">http://127.0.0.1:8080/oauth2/token</span> </code></pre> </div> <p>Now let's create a WebClient instance to perform HTTP requests to the resource server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">WebClient</span> <span class="nf">webClient</span><span class="o">(</span><span class="nc">OAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span><span class="o">)</span> <span class="o">{</span> <span class="nc">ServletOAuth2AuthorizedClientExchangeFilterFunction</span> <span class="n">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ServletOAuth2AuthorizedClientExchangeFilterFunction</span><span class="o">(</span><span class="n">authorizedClientManager</span><span class="o">);</span> <span class="k">return</span> <span class="nc">WebClient</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">oauth2Client</span><span class="o">.</span><span class="na">oauth2Configuration</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p><code>WebClient</code> adds an OAuth2 authorization filter, which requires <code>OAuth2AuthorizedClientManager</code> as a dependency. Only the authorization code and refresh token are configured here, and other modes can be added if necessary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="nc">OAuth2AuthorizedClientManager</span> <span class="nf">authorizedClientManager</span><span class="o">(</span><span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="n">authorizedClientRepository</span><span class="o">)</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizedClientProvider</span> <span class="n">authorizedClientProvider</span> <span class="o">=</span> <span class="nc">OAuth2AuthorizedClientProviderBuilder</span> <span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizationCode</span><span class="o">()</span> <span class="o">.</span><span class="na">refreshToken</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">DefaultOAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultOAuth2AuthorizedClientManager</span><span class="o">(</span><span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="n">authorizedClientRepository</span><span class="o">);</span> <span class="n">authorizedClientManager</span><span class="o">.</span><span class="na">setAuthorizedClientProvider</span><span class="o">(</span><span class="n">authorizedClientProvider</span><span class="o">);</span> <span class="k">return</span> <span class="n">authorizedClientManager</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>Finally, we'll configure the Spring Security security configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorizeRequests</span> <span class="o">-&gt;</span> <span class="c1">//Easy to test, open permissions</span> <span class="n">authorizeRequests</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2Client</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Here we release all client API permissions, but in actual situations, client services require authentication. The OAuth2 protocol itself is an authorization protocol and does not care about the specific form of authentication. You can add simple forms authentication.</p> <h4> Access resource list </h4> <p>Finally, we create a controller where we will use the previously configured WebClient to make HTTP requests to our resource server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ClientTestController</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebClient</span> <span class="n">webClient</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/client/test"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="nf">getArticles</span><span class="o">(</span><span class="nd">@RegisteredOAuth2AuthorizedClient</span><span class="o">(</span><span class="s">"messaging-client-authorization-code"</span><span class="o">)</span> <span class="nc">OAuth2AuthorizedClient</span> <span class="n">authorizedClient</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">this</span><span class="o">.</span><span class="na">webClient</span> <span class="o">.</span><span class="na">get</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="s">"http://127.0.0.1:8090/resource/test"</span><span class="o">)</span> <span class="o">.</span><span class="na">attributes</span><span class="o">(</span><span class="n">oauth2AuthorizedClient</span><span class="o">(</span><span class="n">authorizedClient</span><span class="o">))</span> <span class="o">.</span><span class="na">retrieve</span><span class="o">()</span> <span class="o">.</span><span class="na">bodyToMono</span><span class="o">(</span><span class="nc">Map</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">block</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the above example, we use the @<em>RegisteredOAuth2AuthorizedClient</em> annotation to bind <em>OAuth2AuthorizedClient</em>, and trigger the OAuth2 authorization code mode process to obtain an access token.</p> <h3> Conclusion </h3> <p>This example mainly demonstrates the secure communication between two services using the OAuth2 protocol, especially in complex Internet scenarios, where client services and resource services are provided by different platforms. OAuth2 is very good at obtaining the user's entrusted decision, In many ways, it is simpler and safer than other solutions. <br></p> <p>The source code used in this article is available on <a href="https://github.com/ReLive27/spring-security-oauth2-sample/tree/main/oauth2-jwt">GitHub</a>.</p> <p>You might want to read on to the next one: </p> <ul> <li><a href="https://dev.to/relive27/customize-the-oauth2-authorization-consent-page-24n6">Customize the OAuth2 Authorization Consent Page</a></li> <li><a href="https://dev.to/relive27/spring-security-persistent-oauth2-client-1gcc">Spring Security Persistent OAuth2 Client</a></li> <li><a href="https://dev.to/relive27/spring-security-oauth2-client-credentials-grant-fj5">Spring Security OAuth2 Client Credentials Grant</a></li> <li><a href="https://dev.to/relive27/authorization-code-flow-with-proof-key-for-code-exchange-pkce-4h22">Authorization Code Flow with Proof Key for Code Exchange (PKCE)</a></li> <li><a href="https://dev.to/relive27/spring-security-oauth2-login-51lj">Spring Security OAuth2 Login</a></li> </ul> <p>Thanks for reading!</p> java security oauth2 jwt