206 lines
6.7 KiB
Plaintext
206 lines
6.7 KiB
Plaintext
= OAuth 2.0 Resource Server Sample
|
|
|
|
This sample demonstrates integrating Resource Server with the Spring Authorization Server, though it can be modified to integrate
|
|
with a mock server or your favorite Authorization Server.
|
|
|
|
With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
|
|
secure your own service with OAuth 2.0 Bearer Tokens using Spring Security.
|
|
|
|
== 1. Running the tests
|
|
|
|
To run the tests, do:
|
|
|
|
```bash
|
|
./gradlew integrationTest
|
|
```
|
|
|
|
Or import the project into your IDE and run `ServerOAuth2ResourceServerApplicationTests` from there.
|
|
|
|
=== What is it doing?
|
|
|
|
By default, the tests are pointing at a mock Authorization Server instance via the `test` profile.
|
|
|
|
The tests are configured with a set of hard-coded tokens originally obtained from the mock Authorization Server,
|
|
and each makes a query to the Resource Server with their corresponding token.
|
|
|
|
The Resource Server subsquently verifies with the Authorization Server and authorizes the request, returning the phrase
|
|
|
|
```bash
|
|
Hello, subject!
|
|
```
|
|
|
|
where "subject" is the value of the `sub` field in the JWT returned by the Authorization Server.
|
|
|
|
== 2. Running the app with Spring Authorization Server
|
|
|
|
Before running this application with the default configuration, you will need to start up an Authorization Server, such as the https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/authorization-server[authorization-server sample] in this project which is pre-configured to work with this Resource Server sample out of the box.
|
|
|
|
To run the Authorization Server as a stand-alone application, navigate to the `servlet/spring-boot/java/oauth2/authorization-server` and do:
|
|
|
|
```bash
|
|
./gradlew bootRun
|
|
```
|
|
|
|
Or import the project into your IDE and run `OAuth2AuthorizationServerApplication` from there. Next, you can run this Resource Server.
|
|
|
|
To run as a stand-alone application, do:
|
|
|
|
```bash
|
|
./gradlew bootRun
|
|
```
|
|
|
|
Or import the project into your IDE and run `ServerOAuth2ResourceServerApplication` from there.
|
|
|
|
Once it is up and running, you can issue the following request:
|
|
|
|
```bash
|
|
curl -X POST messaging-client:secret@localhost:9000/oauth2/token -d "grant_type=client_credentials" -d "scope=message:read"
|
|
```
|
|
|
|
This returns something like the following:
|
|
|
|
```json
|
|
{
|
|
"access_token": "eyJraWQiOiI4YWY4Zjc2Zi0zMTdkLTQxZmYtYWY5Yi1hZjg5NDg4ODM5YzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJtZXNzYWdpbmctY2xpZW50IiwiYXVkIjoibWVzc2FnaW5nLWNsaWVudCIsIm5iZiI6MTYyNzMzNDQ1MCwic2NvcGUiOlsibWVzc2FnZTpyZWFkIl0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo5MDAwIiwiZXhwIjoxNjI3MzM0NzUwLCJpYXQiOjE2MjczMzQ0NTAsImp0aSI6IjBiYjYwZjhkLWIzNjItNDk0MC05MGRmLWZhZDg4N2Q1Yzg1ZSJ9.O8dI67B_feRjOn6pJi5ctPJmUJCNpV77SC4OiWqmpa5UHvf4Ud6L6EFe9LKuPIRrEWi8rMdCdMBOPKQMXvxLoI3LMUPf7Yj973uvZN0E988MsKwhGwxyaa_Wam8wFlk8aQlN8SbW3cKdeH-nKloNMdwjfspovefX521mxouaMjmyXdIFrM5WZ15GZK69NIniACSatE-pc9TAjKYBDbC65jVt_zHEvDQbEkZulF2bjrGOZC8C3IbJWnlKgkcshrY44TtrGPyCp2gIS0TSUUsG00iSBBC8E8zPU-YdfaP8gB9_FwUwK9zfy_hU2Ykf2aU3eulpGDVLn2rCwFeK86Rw1w",
|
|
"expires_in": 299,
|
|
"scope": "message:read",
|
|
"token_type": "Bearer"
|
|
}
|
|
```
|
|
|
|
Then, export the access token from the response:
|
|
|
|
```bash
|
|
export TOKEN=...
|
|
```
|
|
|
|
Then issue the following request:
|
|
|
|
```bash
|
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080
|
|
```
|
|
|
|
Which will respond with the phrase:
|
|
|
|
```
|
|
Hello, messaging-client!
|
|
```
|
|
|
|
where `messaging-client` is the value of the `sub` field in the JWT returned by the Authorization Server.
|
|
|
|
Or this to make a GET request to /message:
|
|
|
|
```bash
|
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080/message
|
|
```
|
|
|
|
Will respond with:
|
|
|
|
```bash
|
|
secret message
|
|
```
|
|
|
|
In order to make a POST request to /message, you can use the following request:
|
|
|
|
```bash
|
|
curl -X POST messaging-client:secret@localhost:9000/oauth2/token -d "grant_type=client_credentials" -d "scope=message:write"
|
|
```
|
|
|
|
Then, export the access token from the response:
|
|
|
|
```bash
|
|
export TOKEN=...
|
|
```
|
|
|
|
Then issue the following request:
|
|
|
|
```bash
|
|
curl -H "Authorization: Bearer $TOKEN" -d "my message" localhost:8080/message
|
|
```
|
|
|
|
Which will respond with:
|
|
|
|
```bash
|
|
Message was created. Content: my message
|
|
```
|
|
|
|
== 3. Running the app with a mock Authorization Server
|
|
|
|
To run as a stand-alone application with an embedded mock Authorization Server, do:
|
|
|
|
```bash
|
|
./gradlew bootRun --args='--spring.profiles.active=test'
|
|
```
|
|
|
|
Or import the project into your IDE and run `ServerOAuth2ResourceServerApplication` from there with the `test` profile active.
|
|
|
|
Once it is up, you can use the following token:
|
|
|
|
```bash
|
|
export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0IiwiZXhwIjo0NjgzODA1MTI4fQ.ULEPdHG-MK5GlrTQMhgqcyug2brTIZaJIrahUeq9zaiwUSdW83fJ7W1IDd2Z3n4a25JY2uhEcoV95lMfccHR6y_2DLrNvfta22SumY9PEDF2pido54LXG6edIGgarnUbJdR4rpRe_5oRGVa8gDx8FnuZsNv6StSZHAzw5OsuevSTJ1UbJm4UfX3wiahFOQ2OI6G-r5TB2rQNdiPHuNyzG5yznUqRIZ7-GCoMqHMaC-1epKxiX8gYXRROuUYTtcMNa86wh7OVDmvwVmFioRcR58UWBRoO1XQexTtOQq_t8KYsrPZhb9gkyW8x2bAQF-d0J0EJY8JslaH6n4RBaZISww
|
|
```
|
|
|
|
And then make this request:
|
|
|
|
```bash
|
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080
|
|
```
|
|
|
|
Which will respond with the phrase:
|
|
|
|
```bash
|
|
Hello, subject!
|
|
```
|
|
|
|
where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server.
|
|
|
|
Or this:
|
|
|
|
```bash
|
|
export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0Iiwic2NvcGUiOiJtZXNzYWdlOnJlYWQiLCJleHAiOjQ2ODM4MDUxNDF9.h-j6FKRFdnTdmAueTZCdep45e6DPwqM68ZQ8doIJ1exi9YxAlbWzOwId6Bd0L5YmCmp63gGQgsBUBLzwnZQ8kLUgUOBEC3UzSWGRqMskCY9_k9pX0iomX6IfF3N0PaYs0WPC4hO1s8wfZQ-6hKQ4KigFi13G9LMLdH58PRMK0pKEvs3gCbHJuEPw-K5ORlpdnleUTQIwINafU57cmK3KocTeknPAM_L716sCuSYGvDl6xUTXO7oPdrXhS_EhxLP6KxrpI1uD4Ea_5OWTh7S0Wx5LLDfU6wBG1DowN20d374zepOIEkR-Jnmr_QlR44vmRqS5ncrF-1R0EGcPX49U6A
|
|
|
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080/message
|
|
```
|
|
|
|
Will respond with:
|
|
|
|
```bash
|
|
secret message
|
|
```
|
|
|
|
== 4. Testing against other Authorization Servers
|
|
|
|
_In order to use this sample, your Authorization Server must support JWTs that either use the "scope" or "scp" attribute._
|
|
|
|
To change the sample to point at your Authorization Server, simply find this property in the `application.yml`:
|
|
|
|
```yaml
|
|
spring:
|
|
security:
|
|
oauth2:
|
|
resourceserver:
|
|
jwt:
|
|
jwk-set-uri: http://localhost:9000/oauth2/jwks
|
|
```
|
|
|
|
And change the property to your Authorization Server's JWK set endpoint:
|
|
|
|
```yaml
|
|
spring:
|
|
security:
|
|
oauth2:
|
|
resourceserver:
|
|
jwt:
|
|
jwk-set-uri: https://dev-123456.oktapreview.com/oauth2/default/v1/keys
|
|
```
|
|
|
|
And then you can run the app the same as before:
|
|
|
|
```bash
|
|
./gradlew bootRun
|
|
```
|
|
|
|
Make sure to obtain valid tokens from your Authorization Server in order to play with the sample Resource Server.
|
|
To use the `/` endpoint, any valid token from your Authorization Server will do.
|
|
To use the `/message` endpoint, the token should have the `message:read` scope.
|