mirror of
https://github.com/spring-projects/spring-security.git
synced 2026-03-20 13:31:06 +00:00
b1195e7789
Introducing OAuth2TokenIntrospectionClient and also ReactiveOAuth2TokenIntrospectionClient as configuration points. The DSL looks in the application context for these types in the same way it looks for JwtDecoder and ReactiveJwtDecoder, and exposes similar configuration methods. Fixes: gh-6632
= OAuth 2.0 Resource Server Sample
This sample demonstrates integrating Resource Server with a mock Authorization Server, though it can be modified to integrate
with your favorite Authorization Server.
With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
secure your own service with OAuth 2.0 Bearer Tokens using Spring Security.
== 1. Running the tests
To run the tests, do:
```bash
./gradlew integrationTest
```
Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there.
=== What is it doing?
By default, the tests are pointing at a mock Authorization Server instance.
The tests are configured with a set of hard-coded tokens originally obtained from the mock Authorization Server,
and each makes a query to the Resource Server with their corresponding token.
The Resource Server subsquently verifies with the Authorization Server and authorizes the request, returning the phrase
```bash
Hello, subject!
```
where "subject" is the value of the `sub` field in the JWT returned by the Authorization Server.
== 2. Running the app
To run as a stand-alone application, do:
```bash
./gradlew bootRun
```
Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there.
Once it is up, you can use the following token:
```bash
export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0IiwiZXhwIjo0NjgzODA1MTI4fQ.ULEPdHG-MK5GlrTQMhgqcyug2brTIZaJIrahUeq9zaiwUSdW83fJ7W1IDd2Z3n4a25JY2uhEcoV95lMfccHR6y_2DLrNvfta22SumY9PEDF2pido54LXG6edIGgarnUbJdR4rpRe_5oRGVa8gDx8FnuZsNv6StSZHAzw5OsuevSTJ1UbJm4UfX3wiahFOQ2OI6G-r5TB2rQNdiPHuNyzG5yznUqRIZ7-GCoMqHMaC-1epKxiX8gYXRROuUYTtcMNa86wh7OVDmvwVmFioRcR58UWBRoO1XQexTtOQq_t8KYsrPZhb9gkyW8x2bAQF-d0J0EJY8JslaH6n4RBaZISww
```
And then make this request:
```bash
curl -H "Authorization: Bearer $TOKEN" localhost:8080
```
Which will respond with the phrase:
```bash
Hello, subject!
```
where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server.
Or this:
```bash
export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0Iiwic2NvcGUiOiJtZXNzYWdlOnJlYWQiLCJleHAiOjQ2ODM4MDUxNDF9.h-j6FKRFdnTdmAueTZCdep45e6DPwqM68ZQ8doIJ1exi9YxAlbWzOwId6Bd0L5YmCmp63gGQgsBUBLzwnZQ8kLUgUOBEC3UzSWGRqMskCY9_k9pX0iomX6IfF3N0PaYs0WPC4hO1s8wfZQ-6hKQ4KigFi13G9LMLdH58PRMK0pKEvs3gCbHJuEPw-K5ORlpdnleUTQIwINafU57cmK3KocTeknPAM_L716sCuSYGvDl6xUTXO7oPdrXhS_EhxLP6KxrpI1uD4Ea_5OWTh7S0Wx5LLDfU6wBG1DowN20d374zepOIEkR-Jnmr_QlR44vmRqS5ncrF-1R0EGcPX49U6A
curl -H "Authorization: Bearer $TOKEN" localhost:8080/message
```
Will respond with:
```bash
secret message
```
== 2. Testing against other Authorization Servers
_In order to use this sample, your Authorization Server must support JWTs that either use the "scope" or "scp" attribute._
To change the sample to point at your Authorization Server, simply find this property in the `application.yml`:
```yaml
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
```
And change the property to your Authorization Server's JWK set endpoint:
```yaml
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: https://dev-123456.oktapreview.com/oauth2/default/v1/keys
```
And then you can run the app the same as before:
```bash
./gradlew bootRun
```
Make sure to obtain valid tokens from your Authorization Server in order to play with the sample Resource Server.
To use the `/` endpoint, any valid token from your Authorization Server will do.
To use the `/message` endpoint, the token should have the `message:read` scope.