= OAuth 2.0 Resource Server Sample This sample demonstrates integrations with a handful of different authorization servers. With it, you can run the integration tests or run the application as a stand-alone service to explore how you can secure your own service with OAuth 2.0 Bearer Tokens using Spring Security. == 1. Running the tests To run the tests, do: ```bash ../../../gradlew integrationTest ``` Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there. === What is it doing? By default, the tests are pointing at a demonstration Okta instance. The test that performs a valid round trip does so by querying the Okta Authorization Server using the client_credentials grant type to get a valid JWT token. Then, the test makes a query to the Resource Server with that token. The Resource Server subsquently verifies with Okta and authorizes the request, returning the phrase ```bash Hello, {subject}! ``` where subject is the value of the `sub` field in the JWT returned by the Authorization Server. == 2. Running the app To run as a stand-alone application, do: ```bash ../../../gradlew bootRun ``` Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there. Once it is up, you can retreive a valid JWT token from the authorization server, and then hit the endpoint: ```bash curl -H "Authorization: Bearer {token}" localhost:8081 ``` Which will respond with the phrase: ```bash Hello, {subject}! ``` where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server. === How do I obtain a valid JWT token? Getting a valid JWT token from an Authorization Server will vary, depending on your setup. However, it will typically look something like this: ```bash curl --user {client id}:{client password} -d "grant_type=client_credentials" {auth server endpoint}/token ``` which will respond with a JSON payload containing the `access_token` among other things: ```bash { "access_token" : "{the access token}", "token_type" : "Bearer", "expires_in" : "{an expiry}", "scope" : "{a list of scopes}" } ``` For example, the following can be used to hit the sample Okta endpoint for a valid JWT token: ```bash curl --user 0oaf5u5g4m6CW4x6z0h7:HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv -d "grant_type=client_credentials" https://dev-805262.oktapreview.com/oauth2/default/v1/token ``` Which will give a response similar to this (formatting mine): ```json { "access_token": "eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ", "token_type": "Bearer", "expires_in": 3600, "scope": "ok" } ``` Then, using that access token: ```bash curl -H "Authorization: Bearer eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ" \ localhost:8081 ``` I get: ```bash Hello, 0oaf5u5g4m6CW4x6z0h7! ``` == 3. Testing against other Authorization Servers The sample is already prepared to demonstrate integrations with a handful of other Authorization Servers. Do exercise one, simply uncomment two commented out sections, both in the application.yml file: ```yaml spring: security: oauth2: resourceserver: issuer: ``` First, find the above section in the application.yml. Beneath it, you will see sections for each Authorization Server already prepared with the one for Okta commented out: ```yaml # master: #keycloak # issuer: http://localhost:8080/auth/realms/master # jwk-set-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs okta: issuer: https://dev-805262.oktapreview.com/oauth2/default jwk-set-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/keys ``` Comment out the `okta` section and uncomment the desired section. Second, find the following section, which the sample needs in order to retreive a valid token from the Authorization Server: ```yaml # ### keycloak # token-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/token # token-body: # grant_type: client_credentials # client-id: service # client-password: 9114712b-be55-4dab-b270-04734abda1c4 # container: # config-file-name: keycloak.config # docker-file-name: keycloak.docker ### okta token-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/token token-body: grant_type: client_credentials client-id: 0oaf5u5g4m6CW4x6z0h7 client-password: HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv ``` Comment out the `okta` section and uncomment the desired section. === How can I test with my own Authorization Server instance? To test with your own Okta or other Authorization Server instance, simply provide the following information: ```yaml spring.security.oauth2.resourceserver.issuer.name.uri: the issuer uri spring.security.oauth2.resourceserver.issuer.name.jwk-set-uri: the jwk key uri ``` And indicate, using the sample.provider properties, how the sample should generate a valid JWT token: ```yaml sample.provider.token-uri: the token endpoint sample.provider.token-body.grant_type: the grant to use sample.provider.token-body.another_property: another_value sample.provider.client-id: the client id sample.provider.client-password: the client password, only required for confidential clients ``` You can provide values for any OAuth 2.0-compliant Authorization Server.