How to do it...

The following steps will guide you to configure an Authorization Server and a Resource Server using Spring Security OAuth2:

1. Create the initial project using Spring Initializr, as we did for the other recipes in this book. Go to https://start.spring.io/ and define the following data:
   • Set up the Group as com.packt.example
   • Define the Artifact as refresh-server
   • Add Web and Security as dependencies for this project
2. After creating the refresh-server project, import it to your IDE. If using Eclipse, import it as a Maven project.
3. Open the pom.xml file and add the following dependency, as we will use the Spring Security OAuth2 project:

<dependency>
 <groupId>org.springframework.security.oauth</groupId>
 <artifactId>spring-security-oauth2</artifactId>
</dependency>

1. Open the application.properties file and add the same configuration that we did for the first recipe to set up the user's credentials, which were adolfo for security.user.name and 123 for security.user.password.
2. To have an API to explore and to protect it using OAuth 2.0, you must create the UserController and UserProfile classes, within the com.packt.example.refreshserver.api package. The content for both classes must be the same as that provided for the first recipe (remember that you can download the source code from GitHub if you want).
3. Now let's create the classes which will be present within the com.packt.example.refreshserver.config package beginning by creating the Resource Server configuration, as described by the following source code:

@Configuration
@EnableResourceServer
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {
 @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest()
            .authenticated()
        .and()
            .requestMatchers()
            .antMatchers("/api/**");
    }
}

1. And for the Authorization Server configuration, create the OAuth2AuthorizationServer class as follows:

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends
  AuthorizationServerConfigurerAdapter {

 @Override
 public void configure(ClientDetailsServiceConfigurer clients)
   throws Exception {
  clients.inMemory()
   .withClient("clientapp")
   .secret("123456")
   .authorizedGrantTypes(
       "authorization_code", "password", "refresh_token")
   .accessTokenValiditySeconds(120)
   .scopes("read_profile", "read_contacts");
 }
}

1. Notice that the Authorization Server we are configuring has support for the Authorization Code, Password, and refresh token grant types. The refresh token can also be considered a grant type because it also describes how to request for new access tokens. In addition, to retrieve a refresh token, we use the same endpoint used to retrieve an access token, that is /oauth/token.
2. Also notice the usage of the accessTokenValiditySeconds method from ClientDetailsServiceConfigurer which is defining the expiration time of the access token to happen 2 minutes after the token is issued.
3. As we have used the Password grant type besides the other two, we need to inject an AuthenticationManager and set up the injected AuthenticationManager on AuthorizationServerEndpointsConfigurer. To do so, add the following snippet of code within the OAuth2AuthorizationServer class:

@Autowired
private AuthenticationManager authenticationManager;

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
        throws Exception {
    endpoints.authenticationManager(authenticationManager);
}

1. Now run the application through your IDE actions or by running the Maven mvn spring-boot:run command.