Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring OAuth2 explain Authorization server configuration

Tags:

java

spring

oauth-2.0

spring-security

spring-security-oauth2

I am trying to implement OAuth security and met a problem that for me is not clear enough configuration class.

While implementing AuthorizationServerConfigurer i have three configurers:

  • ClientDetailsServiceConfigurer used to provide the way how and from where to get client details. As an example, it can be service which provides registered clients from the database.

When it comes to AuthorizationServerSecurityConfigurer and AuthorizationServerEndpointsConfigurer I am not sure what they do or how they should be configured. In the documentation it said only:

AuthorizationServerEndpointsConfigurer: defines the authorization and token endpoints and the token services.

Maybe someone can explain in simple words what these two configurers do, or what they are used for.

like image 474
Bublik Avatar asked Dec 15 '22 04:12

Bublik

2 Answers

AuthorizationServerConfigurer's javadoc is more informative than the linked documentation. AuthorizationServerSecurityConfigurer, as its name suggests, configures the security of the Authorization Server itself. For example you can override the OAuth endpoints security such as /oauth/token, provide an access denied handler or restrict to SSL access. Here are what the documentation says about it:

Configure the security of the Authorization Server, which means in practical terms the /oauth/token endpoint. The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a basic server up and running.

As for AuthorizationServerEndpointsConfigurer:

Configure the non-security features of the Authorization Server endpoints, like token store, token customizations, user approvals and grant types. You shouldn't need to do anything by default, unless you need password grants, in which case you need to provide an AuthenticationManager.

Here is a sample from one of my projects:

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints
            .authenticationManager(authenticationManager)
            .tokenStore(jwtTokenStore())
            .tokenEnhancer(tokenEnhancer());
}

Here I provided a JwtTokenStore as my TokenStore and a AuthenticationManager since I was using Password Grants.

like image 132
Ali Dehghani Avatar answered Dec 17 '22 02:12

Ali Dehghani

I am using spring-security-oauth, there is a helpful documentation maybe help you :

projects.spring.io/spring-security-oauth/docs/oauth2.html

like image 35
Pasha GR Avatar answered Dec 17 '22 00:12

Pasha GR
Sign in to Comment

Related questions

square numbers Java
Java flatMap - whats the difference stream.of() and collection.stream()
Stream of Strings isn't sorted?
How to implement non blocking Futures in Java
Android Studio - include and consume .so library
Setting JedisPoolConfig testOnBorrow to false
What is the arbitrary point that is referenced in System.nanoTime Javadoc?
How to find the first Chinese character in a java string
How to intercept Spring Cloud Stream messages?
Add custom Popup/view to activity in android
How to write custom storage plugin for apache drill
Maximum in a array with divide and conquer
Enforcing O(1) get on List
RxJava doesn't work in Scheduler.io() thread
Overloaded controller methods in Swagger
AbstractMethodError thrown at runtime with java.sql.Connection
NullPointerException in JavaFX controller
Can I overload an interface method in Java?
Monitoring Tools for Play Framework Application
Java8 - Search values in a Map

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!