Using JWT with OAuth2

Let's enhance the earlier implementation of OAuth2 in order to use a JWT token.

We would need to add a dependency on spring-security-jwt:

<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-jwt</artifactId>
 <version>1.0.9.RELEASE</version>
 </dependency>

We can update the authentication server configuration in order to use the JWT token store:

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints
        .tokenStore(tokenStore()).accessTokenConverter(accessTokenConverter())
        .authenticationManager(this.authenticationManager);
}

@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
    converter.setSigningKey("abcdefgh");
    converter.setVerifierKey("abcdefgh");
    return converter;
}

@Bean
public TokenStore tokenStore() {
    return new JwtTokenStore(accessTokenConverter());
}

Here are some of the important details to consider:

  • JwtAccessTokenConverter: Translates from/to JWT to/from OAuth authentication details.
  • converter.setSigningKey("abcdefgh"): We are using abcdefgh as the secret key. This is needed on the OAuth Server in order to sign the token.
  • converter.setVerifierKey("abcdefgh"): We are using abcdefgh as the verifier key. This is needed by the resource server in order to verify the token.
  • endpoints.tokenStore(tokenStore()).accessTokenConverter(accessTokenConverter()): Configures the endpoints to use the token store, and to access the token converter.

In the previous example, we used symmetric keys, that is, the same signing and verifier keys. We can also use asymmetric private and public key combinations. We can use a keytool to generate a private, or a public key combination.

To get an access token, we call the authorization server token API (http://localhost:8080/oauth/token); providing the client authentication details in the basic authentication mode, and the user credentials as part of the form data:

{
 "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NTY5OTkxMzIsInVzZXJfbmFtZSI6InVzZXIyIiwiYXV0aG9yaXRpZXMiOlsiUk9MRV9VU0VSIl0sImp0aSI6IjVkNWJhMTIwLWM0ODUtNDM2Ni1hNGViLWVhOWI0NzM1YTdmNCIsImNsaWVudF9pZCI6IllvdXJDbGllbnRJRCIsInNjb3BlIjpbIm9wZW5pZCJdfQ.RFRjTU9RJNmUDTH7QedgqNRzsGRVakyvrcFkPZEcIuE",
 "token_type": "bearer",
 "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJ1c2VyMiIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdGkiOiI1ZDViYTEyMC1jNDg1LTQzNjYtYTRlYi1lYTliNDczNWE3ZjQiLCJleHAiOjE1NTk1NDc5MzIsImF1dGhvcml0aWVzIjpbIlJPTEVfVVNFUiJdLCJqdGkiOiI1MmI1ZDEzMC1mOGE0LTRjNDgtYmU2OS00NTQwMTVlYWRlMzAiLCJjbGllbnRfaWQiOiJZb3VyQ2xpZW50SUQifQ.DZhDZeZyqFKJ6HXMr6zc9DWDc5Dn2BqYCwTAlXgWewA",
 "expires_in": 43199,
 "scope": "openid",
 "jti": "5d5ba120-c485-4366-a4eb-ea9b4735a7f4"
 }

We can use access_token in the authorization header when executing REST API requests.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset