Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security OAuth2 simple configuration

I have a simple project that requires the simple following configuration :

  • I have a "password" grant_type, which means I can submit the username/password (that the user enters in my login form), and get an access_token on success.
  • With that access_token, I can request an API and get the user's information.

I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples) and it seems HUGE.

I can think of it this way :

  • Do a simple HTTP request, giving *client_id* , *client_secret* , *grant_type=password* , username and password (that the user provided).
  • I receive an *ACCESS_TOKEN* (and some other stuff) in a JSON response.
  • I use the *ACCESS_TOKEN* to query a URL (using simple GET request), that will give the user's information.
  • I set the information in HttpSession and consider the user as logged in.

It can be done in 2 HTTP requests. I just don't want to do it this way, but using the "safer" way instead with Spring Security OAuth2.

Can you think of what "simple" config I need to make to have this done?

like image 649
Shotgun Avatar asked Mar 04 '14 18:03

Shotgun


People also ask

How is OAuth2 implemented in spring?

We have to set an interface for the authorization server where the user can provide the credentials. We use the formLogin() implementation of Spring Security to achieve that functionality while keeping things simple. We also make sure that all requests are authenticated.

Does Spring Security using OAuth2?

Spring Security handles the Authentication and Spring Security OAuth2 handles the Authorization. To configure and enable the OAuth 2.0 Authorization Server we have to use @EnableAuthorizationServer annotation.

What does Spring Security OAuth2 Autoconfigure do?

An OAuth2 Client can be used to fetch user details from the provider (if such features are available) and then convert them into an Authentication token for Spring Security.

How do I configure oauth2resttemplate?

First, we need to add spring-boot-starter-security and the spring-security-oauth2-autoconfigure dependencies to our pom. xml. As we are building a web application, we also need spring-boot-starter-web and spring-boot-starter-thymeleaf artifacts to be included.


1 Answers

Don't let the sparklr sample confuse you (it does a lot more than you seem to need). Is this simple enough for you?

@ComponentScan
@EnableAutoConfiguration
public class Application {

public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
}

@Configuration
@Order(Ordered.LOWEST_PRECEDENCE - 100)
protected static class OAuth2Config extends OAuth2AuthorizationServerConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // @formatter:off
        auth.apply(new InMemoryClientDetailsServiceConfigurer())
            .withClient("my-trusted-client")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(60)
        .and()
            .withClient("my-client-with-secret")
                .authorizedGrantTypes("client_credentials")
                .authorities("ROLE_CLIENT")
                .scopes("read")
                .secret("secret");
    // @formatter:on
    }

}

}

That's the auth server. The client is also easy (e.g. the one in the Spring OAuth project). P.S. this is all Spring OAuth 2.0 stuff (not yet released), but we're working on it (and the 1.0 features with XML config really aren't that much heavier).

N.B. This kind of defeats the object of OAuth2 (webapp clients are not supposed to collect user credentials). You should consider using grant_type=authorization_code.

like image 126
Dave Syer Avatar answered Sep 30 '22 14:09

Dave Syer