Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security JWT and Oauth2

Tags:

jwt

spring-security

spring-security-oauth2

I'd like to setup a central authentication / authorization server using Spring Security from where I could fetch JWT token which I could then use for accessing restricted resources on another Spring Security backed up REST server.

Here's my flow:

1) HTML JS / Mobile etc client authenticates on auth server to get the JWT token 2) Client sends this token in HTTP header to REST server to gain access to secured resources

I thought JWT would suite best for this scenario because it can contain all the relevant data and REST server could be fully stateless and simply decode the token to get all necessary data (role, clientid, email...) on REST server.

Is Oauth2 right choice for this and if so could someone kindly point me to right direction? If JWT isn't the right bet, I'm open to other solutions :) I should mention that in my case it's also possible to load client information from database also on REST server, but it should not be responsible for authenticating the user (meaning no username/password check, just the token decoding/validating...)

like image 736
ovaris Avatar asked Oct 20 '22 14:10

ovaris

1 Answers

The Cloudfoundry UAA is an open source OAuth2 Identity Managemennt Solution (Apache 2) which issues JWT tokens. You could look at the way it is implemented, or just use it yourself, either as a server or just the JARs. It implements a bunch of existing strategies in Spring OAuth. It also optionally has its own user database, or you can implement your own. There are lots of options and extension points and many people using it in various ways (not all with Cloudfoundry) because it was designed to be generic.

Spring OAuth 2.0 also has support for JWT tokens as well, but it isn't released yet (the bulk of the implementation is drawn from the UAA).

However, since you say you don't mind opaque tokens (and a database loookup) you might prefer just to use the JDBC support in Spring OAuth 1.0. It was in use in Cloudfoundry for quite some time before we moved to JWT, so I can vouch for it in production.

As to whether OAuth2 is a good choice for your use case: you are in the best position to decide that. Nothing you said so far makes me think it would be a bad idea. Here's a presentation I did if it helps (you can probably find it on YouTube in the SpringSource channel if you like that sort of thing).

like image 190
Dave Syer Avatar answered Oct 27 '22 22:10

Dave Syer
Sign in to Comment

Related questions

jdbc-user-service adding fields to the SQL
Using Google API with spring-security-oauth2.0
Session mix up - apache httpd with mod_jk, tomcat, spring security - serving data of other user
Login with facebook and using oauth 2.0 for authentication of REST api calls
Spring security stateless configuration
spring security error handling with JSON response
spring security + oauth2 + reactjs + restful http client
Can't find SecurityMockMvcConfigurers
Spring OAuth (OAuth2): How can I get the client credentials in a Spring MVC controller?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!