I have a simple project that requires the simple following configuration :
I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples) and it seems HUGE.
I can think of it this way :
It can be done in 2 HTTP requests. I just don't want to do it this way, but using the "safer" way instead with Spring Security OAuth2.
Can you think of what "simple" config I need to make to have this done?
We have to set an interface for the authorization server where the user can provide the credentials. We use the formLogin() implementation of Spring Security to achieve that functionality while keeping things simple. We also make sure that all requests are authenticated.
Spring Security handles the Authentication and Spring Security OAuth2 handles the Authorization. To configure and enable the OAuth 2.0 Authorization Server we have to use @EnableAuthorizationServer annotation.
An OAuth2 Client can be used to fetch user details from the provider (if such features are available) and then convert them into an Authentication token for Spring Security.
First, we need to add spring-boot-starter-security and the spring-security-oauth2-autoconfigure dependencies to our pom. xml. As we are building a web application, we also need spring-boot-starter-web and spring-boot-starter-thymeleaf artifacts to be included.
Don't let the sparklr sample confuse you (it does a lot more than you seem to need). Is this simple enough for you?
@ComponentScan
@EnableAutoConfiguration
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Configuration
@Order(Ordered.LOWEST_PRECEDENCE - 100)
protected static class OAuth2Config extends OAuth2AuthorizationServerConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth.apply(new InMemoryClientDetailsServiceConfigurer())
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.accessTokenValiditySeconds(60)
.and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials")
.authorities("ROLE_CLIENT")
.scopes("read")
.secret("secret");
// @formatter:on
}
}
}
That's the auth server. The client is also easy (e.g. the one in the Spring OAuth project). P.S. this is all Spring OAuth 2.0 stuff (not yet released), but we're working on it (and the 1.0 features with XML config really aren't that much heavier).
N.B. This kind of defeats the object of OAuth2 (webapp clients are not supposed to collect user credentials). You should consider using grant_type=authorization_code
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With