Implement OAuth Resource Server using Spring Security OAuth2 Resource Server

Resource Server in OAuth2 is used to protect access to resources, APIs. It will validate the access token passed by the Client Application, with the Authorization Server to decide if the Client Application has access to the resources and APIs it wants. In this tutorial, I show you how to implement OAuth Resource Server using Spring Security OAuth2 Resource Server!

First, I will create a new Spring Boot project with Spring Web, Spring Security OAuth2 Resource Server as an example:


First, I will create a new RESTful API that acts as a resource that we need the resource server to protect. The content of this API is as simple as this:

Now I will create a new class to configure Spring Security protect for this RESTful API with the following initial content:

With the above configuration, as I said in the tutorial Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer, only the logged in user can access all application requests and the user’s login information is stored in memory or a database system.

We won’t be able to request to http://localhost:8081/hello right now:

If you now need to implement Resource Server to authenticate all requests to our application using the access token issued by the Authorization Server, you can add the following lines of code:

Resource Server will need the information of the Authorization Server so that it can check if the access token was issued by this Authorization Server? Therefore, you need to open the file to configure this Authorization Server information.

As an example for this tutorial, I will start the Authorization Server built using Spring Authorization Server in this tutorial. Then I will configure the Authorization Server information for this example as follows:

I also change the port of the example application, so as not to conflict with the port of the Authorization Server.

Now, suppose I have a RegisteredClient in the Authorization Server as follows:

Get this RegisteredClient’s access token:

and request the URL http://localhost:8081/hello again with the access token passed in the Authorization Bearer, you will see the following results:

If you notice, with the above configuration of Spring Security, all access tokens issued by Authorization Server can access APIs. In fact, we won’t do like that.

In the access token there is a claim named scope and we will use it to determine that with this request URL, what scope the access token must have to access it.

If you decode the RegisteredClient’s access token above, you’ll see, currently there is no claim scope at all:

because we don’t configure scope for this RegisteredClient.

Now, I will change the configuration of Spring Security to only accept requests with an access token whose scope is “access-hello” to access “/hello”, as follows:

We will use the hasAuthority() method with antMachers for the “/hello” request. The parameter of the hasAuthority() method is a string that starts with SCOPE and followed by the scope name that the RegisteredClient access token must have.

At this point, if you restart the example application, and request to “/hello” with the above RegisteredClient access token, you will see a 403 Forbidden error as follows:

To configure the scope for RegisteredClient in the example above, I will edit the code as follows:

As you can see, we will use the scope() method to do this.

Restart Authorization Server, get back the access token for this RegisteredClient and then request again to “http://localhost:8081/hello”, you will see the result “Hello” is returned.

Decode access token, you will see the following result:

Add Comment