Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to implement token verification via token introspection endpoint in Spring Boot?

Tags:

spring-boot

access-token

oauth-2.0

spring-security

We need to implement this endpoint as we have a number of micro services that need to verify the token.

According to this link we can use this to return some user details as well as verifying the token.

I went through spring documentation but couldn't find anything. How can we implement that so that any request automatically makes a call to introspection endpoint. I am asking this here because I'd like to hear people's experience and suggestions with this.

like image 807
xbmono Avatar asked Dec 10 '17 22:12

xbmono

1 Answers

Okay, after digging Spring source code and documentation, I think I have found the answer and I am posting it here just in case anyone has the same question.

Spring has an endpoint named /check_token. From what I can see in CheckTokenEndpoint class, it is designed as per OAuth2 Token Introspection Endpoint: the only parameter of the endpoint is 'token'.

So first thing is to let the endpoint to be accessible:

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    security.checkTokenAccess("isAuthenticated()").tokenKeyAccess("permitAll()").passwordEncoder(passwordEncoder());
}

As you can see checkTokenAccess() lets any authenticated request to access it. Don't use permitAll()

Now in your micro-services or any application that you need to make a call to this endpoint, you will need to configure RemoteTokenServices:

@Bean
@Conditional(IfCheckTokenIsEnabled.class)
public ResourceServerTokenServices createResourceServerTokenServices() {
    RemoteTokenServices tokenServices = new RemoteTokenServices();
    tokenServices.setCheckTokenEndpointUrl("http://localhost:8099/oauth/check_token");
    tokenServices.setClientId("my_client_id");
    tokenServices.setClientSecret("client_secret"); //cannot be null

    return tokenServices;
}

That's it!

However, I found that this endpoint is not really as per the spec. In OAuth2 it has mentioned that the node 'active' of type boolean is mandatory in the response while this endpoint basically extracts the access token. You can, however, create your own endpoint and just configure RemoteTokenServices for Spring to make the call

like image 77
xbmono Avatar answered Sep 25 '22 23:09

xbmono
Sign in to Comment

Related questions

Spring Boot And Multi-Module Maven Projects
Java 1.8u20 fails to start with spring boot and groovy 2.3.7
How do I use convertAndSendToUser() with an external broker such as RabbitMQ in Spring4?
Spring Boot Rest service with oAuth2 Security credentials from database
Need help converting from web.xml spring boot
Unable to submit Spring boot java application to Spark cluster
spring boot read properties file from different maven module
spring boot: add new yml files to application config
Spring RestTemplate throws exception "Broken pipe", while calling different Rest API Synchronously
@ConditionalOnProperty for multi-valued properies
Unable to access jarfile when running Docker image
spring-boot + tomcat RewriteValve
Spring Boot / Tomcat on AWS Elastic Beanstalk only showing 404 page
H2 console error: No suitable driver found for 08001/0
Spring ComponentScan excludeFilters annotation not working in Spring Boot Test context
SpringBoot Cannot enhance @Configuration bean definition 'beanNamePlaceholderRegistryPostProcessor'
Spring ResponseEntity : use constructor or static builder?
Datatable: date / time sorting plug-in not ordering
SpringBoot: running a multi module project
How to validate access_token(Azure AD OAuth 2.0) in web API?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!