What an evening!

Too much hot and humid. Total disaster!

So this kinda evening is perfect for an interesting topic. oAuth 2. I guess most of you guys know what the heck it does. But I like to explain, a little. So lets set it up.

  1. Overview

oAuth 2 a an authentication and authorizarion framework, a security concept for rest api, about how you authenticate and authorize a user to access data from your resource server.

It has four main roles.

  • Resource Owner (That means, You)
  • Client (Means the application you’re using, that accesses your data on the resource server)
  • Resource Server (Where your data are stored)
  • Autherization Server (Responsible for authenticating your identity and gives you an authorization token, so that you can request resource server for your data with this token. this token is called access_token)

Authorization server will provide you two tokens if you user refresh_token as grant type. Now what the hell is refresh token? What is the difference between access_token and refresh_token?

Well, the name says it all.

Access Token And Refresh Token:

This two types of token is provided by your authorization server. access_token is responsible for accessing your resources from resource server. This token usually has a little validity time. You can access your data with this token a certain time before it get’s expired. So after it expires, you need to request Authorization server for a new access_token with your refresh token,client id and client secret, so that you don’t need to send user credentials again and again. Refresh token has more validation time than Access Token. Typically 7-90 days, depends on you.

So we can say,

  1.  The responsibility of access token is to access data before it gets expired.
  2. The responsibility of Refresh Token is to request for a new access token when access token is expired.

What will happen if my tokens are compromised?

Since you can access your data with access_token, if it’s compromised then the hacker will get a very limited ability to access resources since it’ll be expired very soon.

If refresh token is compromised, your resources are still safe because client id and client secret is needed to request for aceess_token, to access resources.

Well, now that we got the basic idea about oAuth 2 framework workflow. We’re gonna implement oAuth2 Authorization using Spring Security on Spring Boot.

2. Dependency

Add spring-security-oauth2 dependency on pom.xml.

If you use gradle

3. Resource Server Configuration

Create a bean ResourceServerConfig that extends ResourceServerConfigurerAdapter and override configure(HttpSecurity security) method. Annotate it with @EnableResourceServer annotation. Here I’ve configured resource server for this endpoints starting with /api/v1.

4. Authorization Server Configuration

Extend AuthorizationServerConfigurerAdapter and override three configure methods.

Here we’ve used an in memory client details but it serves it’s purpose. Client ID here is android-client and Client Secret is android-secret. 

We’ve added three grant_type that means client can get access_token by client username and password or refresh_token. If refresh_token wasn’t mentioned here the authorization server would only provide access token. We had to request with username and password for access token every time it got expired.

on the third configure(AuthorizationServerEndpointsConfigurer e) method, we’ve provided our little AuthenticationManager bean so that it can authenticate our user using userdetailsservice. But wait, we’ve used Spring Security AuthenticationManager but haven’t provided our UserDetailsService yet. So please autowire AuthenticationManagerBuilder class and provide it an userdetailsservice. Like this,

You can write this method below main method or in a any configuration bean that executed before AuthenticationManager gets injected in AuthorizationServerConfig class.

5. UserDetailsService


That’s it for now. We’ve implemented oAuth2 in using Spring Security.

5. Endpoints:

Client sends a request for authorization and authorization server responds with an access token and a refresh token.

Authorization Server Response:

Next time we can send request for access_token with refresh token. This time we don’t need user email and password.
Like that:

Now we can access resource with that access token if it’s valid.



Leave a Comment