Securing microservice with OAuth2

In this section, we will see the basic Spring Boot configuration for OAuth2. When a client application requires access to a protected resource, the client sends a request to an authorization server. The authorization server validates the request, and provides an access token. This access token will be validated for every client-to-server request. The request and response sent back and forth depends on the grant type.

The resource owner password credentials grant approach will be used in the following example:

In this case, as shown in the preceding diagram, the resource owner provides the client with a username and password. The client then sends a token request to the authorization server by providing the credentials. The authorization server authorizes the client, and returns an access token. On every subsequent request, the server validates the client token.

To implement OAuth2 in our example, follow these steps:

1. As the first step, update pom.xml with oauth2 dependency as follows:

        <dependency>
          <groupId>org.springframework.security.oauth</groupId>
          <artifactId>spring-security-oauth2</artifactId>
        </dependency>

        <!-- below dependency is explicitly required when
         testing OAuth2 with Spring Boot 2.0.0.M1 -->
        <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-crypto</artifactId>
          <version>4.2.2.RELEASE</version>
        </dependency> 

1. Next, add two new annotations-- @EnableAuthorizationServer --and @EnableResourceServer to Application.java. The @EnableAuthorizationServer annotation creates an authorization server with an in-memory repository to store client tokens and to provide clients with a username, password, client ID, and secret. @EnableResourceServer is used to access the tokens. This enables a spring security filter that authenticates via an incoming OAuth2 token.

        @EnableResourceServer
        @EnableAuthorizationServer
        @SpringBootApplication
        public class Application {

1. Add the following properties to the application.properties file:

        security.user.name=guest
        security.user.password=guest123
        security.oauth2.client.client-id: trustedclient
        security.oauth2.client.client-secret: trustedclient123
        security.oauth2.client.authorized-grant-types:   
        authorization_code,refresh_token,password
        

1. Add another test case to test OAuth2 as follows:

        @Test
        public void testOAuthService() { 
          ResourceOwnerPasswordResourceDetails resource = 
            new ResourceOwnerPasswordResourceDetails();
          resource.setUsername("guest");
          resource.setPassword("guest123");
          resource.setAccessTokenUri("http://localhost:8080/oauth
            /token");
          resource.setClientId("trustedclient");
          resource.setClientSecret("trustedclient123");
          resource.setGrantType("password");
          resource.setScope(Arrays.asList(new String[] 
            {"read","write","trust"}));
      
          DefaultOAuth2ClientContext clientContext = 
            new DefaultOAuth2ClientContext();
          OAuth2RestTemplate restTemplate = 
            new OAuth2RestTemplate(resource, clientContext);

          Greet greet = restTemplate
            .getForObject("http://localhost:8080", Greet.class);
          Assert.assertEquals("Hello World!", greet.getMessage());
        }

As shown in the preceding code, a special rest template, OAuth2RestTemplate, is created by passing the resource details encapsulated in a resource details object. This rest template handles the OAuth2 processes underneath. The access token URI is the endpoint for the token access.

1. Rerun the application using maven install. The first two test cases will fail, and the new one will succeed. This is because the server accepts only OAuth2-enabled requests.

These are quick configurations provided by Spring Boot out of the box, but are not good enough to be production grade. We may need to customize ResourceServerConfigurer and AuthorizationServerConfigurer to make them production ready. Regardless, the approach remains the same.