Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How get a token in spring boot 2 oauth2?

I'm new in spring security oauth2. I want to run this authorization server sample code. I run it successfuly, for get token, I set postman as follow and then send request:

Basic Auth grant types

In this case, I entered client id with its password, but I want to login without them. For example my users send username, password and client id and then get token. But every request I send, The server return 401 response. In Spring boot 2 oauth 2, How can I do it?

like image 244
Morteza Malvandi Avatar asked Dec 11 '18 09:12

Morteza Malvandi


People also ask

How does OAuth2 2.0 work in spring boot?

Spring Security OAuth2 − Implements the OAUTH2 structure to enable the Authorization Server and Resource Server. Spring Security JWT − Generates the JWT Token for Web security. Spring Boot Starter JDBC − Accesses the database to ensure the user is available or not. Spring Boot Starter Web − Writes HTTP endpoints.


2 Answers

1) To get access token you have to use such a request:

curl --user client:secret \
  -X POST http://localhost:8080/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&username=username&password=password&scope=*" \

with Basic Auth and your application credentials (you can avoid the secret if you wish). The name of the user and its password you have to pass in the body of the request as well as 'password' value in the grant_type field.

In response you get your access and refresh tokens, for example:

{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2VtYWlsIjoidXNlckBtYWlsLmNvbSIsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZSI6WyIqIl0sImV4cCI6MTU0Nzc2NDIzOCwiYXV0aG9yaXRpZXMiOlsiQURNSU4iXSwianRpIjoiYzk1YzkzYTAtMThmOC00OGZjLWEzZGUtNWVmY2Y1YWIxMGE5IiwiY2xpZW50X2lkIjoiY2xpZW50In0.RWSGMC0w8tNafT28i2GLTnPnIiXfAlCdydEsNNZK-Lw",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2VtYWlsIjoidXNlckBtYWlsLmNvbSIsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZSI6WyIqIl0sImF0aSI6ImM5NWM5M2EwLTE4ZjgtNDhmYy1hM2RlLTVlZmNmNWFiMTBhOSIsImV4cCI6MTU0Nzc2NzcxOCwiYXV0aG9yaXRpZXMiOlsiQURNSU4iXSwianRpIjoiZDRhNGU2ZjUtNDY2Mi00NGZkLWI0ZDgtZWE5OWRkMDJkYWI2IiwiY2xpZW50X2lkIjoiY2xpZW50In0.m7XvxwuPiTnPaQXAptLfi3CxN3imfQCVKyjmMCIPAVM",
    "expires_in": 119,
    "scope": "*"
    "jti": "c95c93a0-18f8-48fc-a3de-5efcf5ab10a9"
}

2) Then you can use that access token to get access to resources of your server application. In this case you need Bearer Token auth type and your access token:

curl -X GET http://localhost:8080/demo \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2VtYWlsIjoidXNlckBtYWlsLmNvbSIsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZSI6WyIqIl0sImV4cCI6MTU0Nzc2NDIzOCwiYXV0aG9yaXRpZXMiOlsiQURNSU4iXSwianRpIjoiYzk1YzkzYTAtMThmOC00OGZjLWEzZGUtNWVmY2Y1YWIxMGE5IiwiY2xpZW50X2lkIjoiY2xpZW50In0.RWSGMC0w8tNafT28i2GLTnPnIiXfAlCdydEsNNZK-Lw'

3) To refresh token you have to use, again, Basic Auth with client credentials, but in this case, you need 'refresh_token' as grant_type:

curl --user client:secret \
  -X POST http://localhost:8080/oauth/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token&scope=*&refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2VtYWlsIjoidXNlckBtYWlsLmNvbSIsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZSI6WyIqIl0sImF0aSI6ImM5NWM5M2EwLTE4ZjgtNDhmYy1hM2RlLTVlZmNmNWFiMTBhOSIsImV4cCI6MTU0Nzc2NzcxOCwiYXV0aG9yaXRpZXMiOlsiQURNSU4iXSwianRpIjoiZDRhNGU2ZjUtNDY2Mi00NGZkLWI0ZDgtZWE5OWRkMDJkYWI2IiwiY2xpZW50X2lkIjoiY2xpZW50In0.m7XvxwuPiTnPaQXAptLfi3CxN3imfQCVKyjmMCIPAVM'

Every time when the access token expires you have to refresh it with 3rd request. Then you will be able to get access to the resources again.

Additional info

1) My answer of how to build the simple OAuth2 app with JWT and custom claims

2) Related demo application

3) Related Postman collection

like image 149
Cepr0 Avatar answered Sep 23 '22 09:09

Cepr0


The OAuth 2.0 specification describes a number of grants (“methods”) for a client application to acquire an access token (which represents a user’s permission for the client to access their data).

Spring OAuth2 predefined grant types:

  • ClientCredentialsTokenGranter
  • RefreshTokenGranter
  • AuthorizationCodeTokenGranter
  • ImplicitTokenGranter
  • ResourceOwnerPasswordTokenGranter(it`s password grant type which one you use in example)

If you want to change token acquiring logic you can go with custom TokenGranter.

Additional:

OAuth 2 Develpers Guide

like image 22
Vyacheslav Babanin Avatar answered Sep 19 '22 09:09

Vyacheslav Babanin