Implement OAuth Authorization Server using Spring Authorization Server

The Authorization Server in OAuth has the task of issuing an access token that allows the Client Application to use this access token to request the resource it needs to use. Resource server will validate this access token with Authorization Server every time Client Application request to resource to decide whether to allow Client Application access to this resource? You can use many other open sources such as Keycloak, Spring Security OAuth (deprecated), or a new Spring project called Spring Authorization Server to implement this Authorization Server. In this tutorial, I will show you how to use Spring Authorization Server to implement OAuth Authorization Server!

First, I will create a new Spring Boot project with Web Starter, Security Starter:

Implement OAuth Authorization Server using Spring Authorization Server

and Spring Authorization Server:

to make an example.

Result:

Implement OAuth Authorization Server using Spring Authorization Server


Authorization Server configuration

First, I will create a new AuthorizationServerConfiguration class to configure the Authorization Server.

By default, Spring Authorization Server supports the OAuth2AuthorizationServerConfiguration class with default configurations for an Authorization Server. If you take a look at the code of this class, you will see that it defines an applyDefaultSecurity() method that initializes the OAuth2AuthorizationServerConfigurer object, with the purpose of applying the default configurations that this OAuth2AuthorizationServerConfigurer class defines:

As you can see, the applyDefaultSecurity() method also defines security for the default endpoints of an Authorization Server.

Class OAuth2AuthorizationServerConfiguration also defines a bean for the SecurityFilterChain class that calls the applyDefaultSecurity() method to register these default configurations. with Spring Security of Authorization Server.

You can import this OAuth2AuthorizationServerConfiguration class using Spring’s @Import annotation to use these default configurations:

or if you want to add something custom code, then let declare a bean for the SecurityFilterChain class and call the applyDefaultSecurity() method as follows:

Here, I add more code so that if the user does not have permission to request to the default endpoints of an Authorization Server, the Authorization Server will redirect to the login page.

With an Authorization Server, an important thing that we need to do is define the JSON Web Key to verify the information in the access token that the user requested to the Resource Server, issued by the Authorization Server? A JwtDecoder bean with an object of the JWKSource class is required to complete the configuration of this Authorization Server. We can define beans for these objects as follows:



Spring Security configuration

When the Authorization Server redirects to the login page because the user is not authenticated, we need to define another SecurityFilterChain to handle this request and all other requests of the Authorization Server. Because the OAuth2AuthorizationServerConfiguration class only defines security for the default endpoints of the Authorization Server.

We can define this SecurityFilterChain as follows:

At this point, the login page will display if the user is not logged in.


Register client with Authorization Server

Spring Authorization Server uses the RegisteredClient class to declare the information of a client registered with the Authorization Server and uses the implementation of the RegisteredClientRepository interface to store the information of all these clients.

We can declare client information using memory or a certain database:

Implement OAuth Authorization Server using Spring Authorization Server

For simplicity, I will use memory as follows:

There are several important properties that a client must have: client Id and authorization grant type enabled for this client Id.

Client Id, I don’t need to explain, right! For authorization grant type, Spring Authorization Server supports all grant types of OAuth 2.

Client secret depends on the client type we want to define, if our client is confidential, see also Client types in OAuth 2.0, Client secret is mandatory. Here, you need to declare how to encrypt the client secret with PasswordEncoder, if you don’t want to encrypt it for testing purposes, we can use NoOpPasswordEncoder by declaring “{noop}” at the beginning of the client secret as I did above. Remember this is for testing purposes only!

The Client Authentication method is also required if our client is confidential, declared to define how we can get the access token?

Depending on the grant type of the client you are defining, some other required information that we need to declare. For example, in my case, I am defining a client with grant type authorization_code, so I have to define a redirect_uri. Here, I will use the tool https://oidcdebugger.com/ to get the authorization code, so I define the redirect_uri with the value https://oidcdebugger.com/debug as you can see.

Depending on your needs, let define client information accordingly.



Register user with Authorization Server

User information logged into the Authorization Server, I use memory with the following declaration:

OK, at this point, we have completed the basic configuration for Authorization Server.

To check the results, I will use the tool https://oidcdebugger.com/ as I mentioned above, with the following declaration:

Implement OAuth Authorization Server using Spring Authorization Server

Click Send request in this page, you will see the Authorization Server login page displayed as follows:

Implement OAuth Authorization Server using Spring Authorization Server

Log in with the information we have declared above, you will see the following results:

Implement OAuth Authorization Server using Spring Authorization Server

Using this authorization code along with the client secret that we have declared, you can get the access token for this client as follows:

Implement OAuth Authorization Server using Spring Authorization Server

Add Comment