170 lines
6.6 KiB
Plaintext
170 lines
6.6 KiB
Plaintext
|
= OAuth 2.0 Resource Server Sample
|
||
|
|
|
||
|
|
This sample demonstrates integrations with a handful of different authorization servers.
|
||
|
|
|
||
|
|
With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
|
||
|
|
secure your own service with OAuth 2.0 Bearer Tokens using Spring Security.
|
||
|
|
|
||
|
|
== 1. Running the tests
|
||
|
|
|
||
|
|
To run the tests, do:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
../../../gradlew integrationTest
|
||
|
|
```
|
||
|
|
|
||
|
|
Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there.
|
||
|
|
|
||
|
|
=== What is it doing?
|
||
|
|
|
||
|
|
By default, the tests are pointing at a demonstration Okta instance. The test that performs a valid round trip does so
|
||
|
|
by querying the Okta Authorization Server using the client_credentials grant type to get a valid JWT token. Then, the test
|
||
|
|
makes a query to the Resource Server with that token. The Resource Server subsquently verifies with Okta and
|
||
|
|
authorizes the request, returning the phrase
|
||
|
|
|
||
|
|
```bash
|
||
|
|
Hello, {subject}!
|
||
|
|
```
|
||
|
|
|
||
|
|
where subject is the value of the `sub` field in the JWT returned by the Authorization Server.
|
||
|
|
|
||
|
|
== 2. Running the app
|
||
|
|
|
||
|
|
To run as a stand-alone application, do:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
../../../gradlew bootRun
|
||
|
|
```
|
||
|
|
|
||
|
|
Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there.
|
||
|
|
|
||
|
|
Once it is up, you can retreive a valid JWT token from the authorization server, and then hit the endpoint:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
curl -H "Authorization: Bearer {token}" localhost:8081
|
||
|
|
```
|
||
|
|
|
||
|
|
Which will respond with the phrase:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
Hello, {subject}!
|
||
|
|
```
|
||
|
|
|
||
|
|
where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server.
|
||
|
|
|
||
|
|
=== How do I obtain a valid JWT token?
|
||
|
|
|
||
|
|
Getting a valid JWT token from an Authorization Server will vary, depending on your setup. However, it will typically
|
||
|
|
look something like this:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
curl --user {client id}:{client password} -d "grant_type=client_credentials" {auth server endpoint}/token
|
||
|
|
```
|
||
|
|
|
||
|
|
which will respond with a JSON payload containing the `access_token` among other things:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
{ "access_token" : "{the access token}", "token_type" : "Bearer", "expires_in" : "{an expiry}", "scope" : "{a list of scopes}" }
|
||
|
|
```
|
||
|
|
|
||
|
|
For example, the following can be used to hit the sample Okta endpoint for a valid JWT token:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
curl --user 0oaf5u5g4m6CW4x6z0h7:HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv -d "grant_type=client_credentials" https://dev-805262.oktapreview.com/oauth2/default/v1/token
|
||
|
|
```
|
||
|
|
|
||
|
|
Which will give a response similar to this (formatting mine):
|
||
|
|
|
||
|
|
```json
|
||
|
|
{
|
||
|
|
"access_token": "eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ",
|
||
|
|
"token_type": "Bearer",
|
||
|
|
"expires_in": 3600,
|
||
|
|
"scope": "ok"
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
Then, using that access token:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
curl -H "Authorization: Bearer eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ" \
|
||
|
|
localhost:8081
|
||
|
|
```
|
||
|
|
|
||
|
|
I get:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
Hello, 0oaf5u5g4m6CW4x6z0h7!
|
||
|
|
```
|
||
|
|
|
||
|
|
== 3. Testing against other Authorization Servers
|
||
|
|
|
||
|
|
The sample is already prepared to demonstrate integrations with a handful of other Authorization Servers. Do exercise
|
||
|
|
one, simply uncomment two commented out sections, both in the application.yml file:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
spring:
|
||
|
|
security:
|
||
|
|
oauth2:
|
||
|
|
resourceserver:
|
||
|
|
issuer:
|
||
|
|
```
|
||
|
|
|
||
|
|
First, find the above section in the application.yml. Beneath it, you will see sections for each Authorization Server
|
||
|
|
already prepared with the one for Okta commented out:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
# master: #keycloak
|
||
|
|
# issuer: http://localhost:8080/auth/realms/master
|
||
|
|
# jwk-set-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
|
||
|
|
okta:
|
||
|
|
issuer: https://dev-805262.oktapreview.com/oauth2/default
|
||
|
|
jwk-set-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/keys
|
||
|
|
```
|
||
|
|
|
||
|
|
Comment out the `okta` section and uncomment the desired section.
|
||
|
|
|
||
|
|
Second, find the following section, which the sample needs in order to retreive a valid token from the Authorization
|
||
|
|
Server:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
# ### keycloak
|
||
|
|
# token-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/token
|
||
|
|
# token-body:
|
||
|
|
# grant_type: client_credentials
|
||
|
|
# client-id: service
|
||
|
|
# client-password: 9114712b-be55-4dab-b270-04734abda1c4
|
||
|
|
# container:
|
||
|
|
# config-file-name: keycloak.config
|
||
|
|
# docker-file-name: keycloak.docker
|
||
|
|
### okta
|
||
|
|
token-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/token
|
||
|
|
token-body:
|
||
|
|
grant_type: client_credentials
|
||
|
|
client-id: 0oaf5u5g4m6CW4x6z0h7
|
||
|
|
client-password: HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv
|
||
|
|
```
|
||
|
|
|
||
|
|
Comment out the `okta` section and uncomment the desired section.
|
||
|
|
|
||
|
|
=== How can I test with my own Authorization Server instance?
|
||
|
|
|
||
|
|
To test with your own Okta or other Authorization Server instance, simply provide the following information:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
spring.security.oauth2.resourceserver.issuer.name.uri: the issuer uri
|
||
|
|
spring.security.oauth2.resourceserver.issuer.name.jwk-set-uri: the jwk key uri
|
||
|
|
```
|
||
|
|
|
||
|
|
And indicate, using the sample.provider properties, how the sample should generate a valid JWT token:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
sample.provider.token-uri: the token endpoint
|
||
|
|
sample.provider.token-body.grant_type: the grant to use
|
||
|
|
sample.provider.token-body.another_property: another_value
|
||
|
|
sample.provider.client-id: the client id
|
||
|
|
sample.provider.client-password: the client password, only required for confidential clients
|
||
|
|
```
|
||
|
|
|
||
|
|
You can provide values for any OAuth 2.0-compliant Authorization Server.
|