115 lines
2.9 KiB
Plaintext
115 lines
2.9 KiB
Plaintext
= OAuth 2.0 Resource Server Sample
|
|
|
|
This sample demonstrates integrating Resource Server with a mock Authorization Server, though it can be modified to integrate
|
|
with your favorite Authorization Server.
|
|
|
|
With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
|
|
secure your own service with OAuth 2.0 Opaque Bearer Tokens using Spring Security.
|
|
|
|
== 1. Running the tests
|
|
|
|
To run the tests, do:
|
|
|
|
```bash
|
|
./gradlew integrationTest
|
|
```
|
|
|
|
Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there.
|
|
|
|
=== What is it doing?
|
|
|
|
By default, the tests are pointing at a mock Authorization Server instance.
|
|
|
|
The tests are configured with a set of hard-coded tokens originally obtained from the mock Authorization Server,
|
|
and each makes a query to the Resource Server with their corresponding token.
|
|
|
|
The Resource Server subsquently verifies with the Authorization Server and authorizes the request, returning the phrase
|
|
|
|
```bash
|
|
Hello, subject!
|
|
```
|
|
|
|
where "subject" is the value of the `sub` field in the JWT returned by the Authorization Server.
|
|
|
|
== 2. Running the app
|
|
|
|
To run as a stand-alone application, do:
|
|
|
|
```bash
|
|
./gradlew bootRun
|
|
```
|
|
|
|
Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there.
|
|
|
|
Once it is up, you can use the following token:
|
|
|
|
```bash
|
|
export TOKEN=00ed5855-1869-47a0-b0c9-0f3ce520aee7
|
|
```
|
|
|
|
And then make this request:
|
|
|
|
```bash
|
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080
|
|
```
|
|
|
|
Which will respond with the phrase:
|
|
|
|
```bash
|
|
Hello, subject!
|
|
```
|
|
|
|
where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server.
|
|
|
|
Or this:
|
|
|
|
```bash
|
|
export TOKEN=b43d1500-c405-4dc9-b9c9-6cfd966c34c9
|
|
|
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080/message
|
|
```
|
|
|
|
Will respond with:
|
|
|
|
```bash
|
|
secret message
|
|
```
|
|
|
|
== 2. Testing against other Authorization Servers
|
|
|
|
_In order to use this sample, your Authorization Server must support Opaque Tokens and the Introspection Endpoint.
|
|
|
|
To change the sample to point at your Authorization Server, simply find this property in the `application.yml`:
|
|
|
|
```yaml
|
|
spring:
|
|
security:
|
|
oauth2:
|
|
resourceserver:
|
|
opaque:
|
|
introspection-uri: ${mockwebserver.url}/introspect
|
|
introspection-client-id: client
|
|
introspection-client-secret: secret
|
|
```
|
|
|
|
And change the property to your Authorization Server's Introspection endpoint, including its client id and secret:
|
|
|
|
```yaml
|
|
spring:
|
|
security:
|
|
oauth2:
|
|
resourceserver:
|
|
opaque:
|
|
introspection-uri: ${mockwebserver.url}/introspect
|
|
```
|
|
|
|
And then you can run the app the same as before:
|
|
|
|
```bash
|
|
./gradlew bootRun
|
|
```
|
|
|
|
Make sure to obtain valid tokens from your Authorization Server in order to play with the sample Resource Server.
|
|
To use the `/` endpoint, any valid token from your Authorization Server will do.
|
|
To use the `/message` endpoint, the token should have the `message:read` scope.
|