How to do it...

The following steps will guide you to configure an Authorization Server and a Resource Server using Spring Security OAuth2:

1. Create the initial project using Spring Initializr as we did for other recipes in this book. Go to https://start.spring.io/ and define the following data:
   • Set up the Group as com.packt.example
   • Define the Artifact as password-server
   • Add Web and Security as dependencies for this project
2. After creating the password-server project, import it to your IDE. If using Eclipse, import it as a Maven project.

1. Open the pom.xml file and add the following dependency, as we will use the Spring Security OAuth2 project:

<dependency>
 <groupId>org.springframework.security.oauth</groupId>
 <artifactId>spring-security-oauth2</artifactId>
</dependency>

1. Open the application.properties file and add the same configurations that we did for the first recipe to set up the user's credentials, which were adolfo for security.user.name and 123 for security.user.password.
2. Create the UserProfile.java and UserController classes within the com.packt.example.passwordserver.api package. The source code for both classes, must be the same that was provided for the first recipe on this chapter (you can also download the source code from GitHub if you want).

1. Now create the OAuth2ResourceServer class with the following content to declare how to protect endpoints, which matches the /api/* pattern. This class should be created within the com.packt.example.passwordserver.config package:

@Configuration
@EnableResourceServer
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {
 @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().anyRequest().authenticated()
        .and()
            .requestMatchers().antMatchers("/api/**");
    }
}

1. Create the OAuth2AuthorizationServer class within the same package as OAuth2ResourceServer, as follows, to configure the Password grant type:

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends
        AuthorizationServerConfigurerAdapter {
 @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
            .withClient("clientapp")
            .secret("123456")
 .redirectUris("http://localhost:9000/callback")
 .authorizedGrantTypes("password")
 .scopes("read_profile", "read_contacts");
    }
}

1. The only difference between the OAuth2AuthorizationServer created for this recipe and the others created for any grant type presented in this chapter is the declared authorizedGrantType, which in this case is password. The main difference appears when interacting with our OAuth 2.0 Provider.

1. If you run the application as it is, you will face the following error when trying to request an access token. Such an error occurs because the Password grant type requires you to declare an AuthenticationManager inside the OAuth2AuthorizationServer configuration class:

{
 "error": "unsupported_grant_type",
 "error_description": "Unsupported grant type: password"
}

1. Inject the following attribute within the OAuth2AuthorizationServer class:

@Autowired
private AuthenticationManager authenticationManager;

1. Then set up the authenticationManager for AuthorizationServerEndpointsConfigurer by overriding the following method from AuthorizationServerConfigurerAdapter , within OAuth2AuthorizationServer as follows:

public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.authenticationManager(authenticationManager);
}

1. Now run the application through your IDE actions or by running the Maven mvn spring-boot:run command.