spring-security-oauth2 has not yet been (June 2017) been updated with the changes for Spring Framework 5.x and Spring Boot 2.x. We will use Spring Boot 1.5.x for examples related to OAuth 2 authentication. Code examples are here in the GitHub repository ;https://github.com/PacktPublishing/Mastering-Spring-5.0.
Typically, an authorization server would be a different server from the application where the API is exposed. To keep things simple, we will make our current API server act both as the resource server and as the authorization server.
The following code snippet shows how we can enable our application to act as the resource and authorization server:
@EnableResourceServer
@EnableAuthorizationServer
@SpringBootApplication
public class Application {
Here are a couple of important things to note:
- @EnableResourceServer: A convenient annotation for OAuth 2 resource servers, enabling a Spring Security filter that authenticates requests via an incoming OAuth 2 token
- @EnableAuthorizationServer: A convenience annotation to enable an authorization server with ;AuthorizationEndpoint and ;TokenEndpoint in the current application context, which must be a DispatcherServlet context
Now we can configure the access details in application.properties, as shown in the following code snippet:
security.user.name=user-name
security.user.password=user-password
security.oauth2.client.clientId: clientId
security.oauth2.client.clientSecret: clientSecret
security.oauth2.client.authorized-grant-types:
authorization_code,refresh_token,password
security.oauth2.client.scope: openid
A few important details are as follows:
- security.user.name and ;security.user.password are the authentication details of the resource owner that is an end user of a third-party application
- security.oauth2.client.clientId and ;security.oauth2.client.clientSecret are the authentication details of the client that is the third-party application (the service consumer)