Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
spring-security/samples/boot/oauth2resourceserver-webflux
History
Rob Winch 0dc80aed40 Flatten ServerHttpSecurity.oauth2() 
Fixes: gh-5712
 		2018-08-21 15:48:41 -05:00
..
src Flatten ServerHttpSecurity.oauth2() 2018-08-21 15:48:41 -05:00
README.adoc Add Sample 2018-07-30 11:39:50 -05:00
spring-security-samples-boot-oauth2resourceserver-webflux.gradle Add Sample 2018-07-30 11:39:50 -05:00

README.adoc 

= OAuth 2.0 Resource Server Sample

This sample demonstrates integrations with a handful of different authorization servers.

With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
secure your own service with OAuth 2.0 Bearer Tokens using Spring Security.

== 1. Running the tests

To run the tests, do:

```bash
../../../gradlew integrationTest
```

Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there.

=== What is it doing?

By default, the tests are pointing at a demonstration Okta instance. The test that performs a valid round trip does so
by querying the Okta Authorization Server using the client_credentials grant type to get a valid JWT token. Then, the test
makes a query to the Resource Server with that token. The Resource Server subsquently verifies with Okta and
authorizes the request, returning the phrase

```bash
Hello, {subject}!
```

where subject is the value of the `sub` field in the JWT returned by the Authorization Server.

== 2. Running the app

To run as a stand-alone application, do:

```bash
../../../gradlew bootRun
```

Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there.

Once it is up, you can retreive a valid JWT token from the authorization server, and then hit the endpoint:

```bash
curl -H "Authorization: Bearer {token}" localhost:8081
```

Which will respond with the phrase:

```bash
Hello, {subject}!
```

where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server.

=== How do I obtain a valid JWT token?

Getting a valid JWT token from an Authorization Server will vary, depending on your setup. However, it will typically
look something like this:

```bash
curl --user {client id}:{client password} -d "grant_type=client_credentials" {auth server endpoint}/token
```

which will respond with a JSON payload containing the `access_token` among other things:

```bash
{ "access_token" : "{the access token}", "token_type" : "Bearer", "expires_in" : "{an expiry}", "scope" : "{a list of scopes}" }
```

For example, the following can be used to hit the sample Okta endpoint for a valid JWT token:

```bash
curl --user 0oaf5u5g4m6CW4x6z0h7:HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv -d "grant_type=client_credentials" https://dev-805262.oktapreview.com/oauth2/default/v1/token
```

Which will give a response similar to this (formatting mine):

```json
{
  "access_token": "eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "ok"
}
```

Then, using that access token:

```bash
curl -H  "Authorization: Bearer eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ" \
  localhost:8081
```

I get:

```bash
Hello, 0oaf5u5g4m6CW4x6z0h7!
```

== 3. Testing against other Authorization Servers

The sample is already prepared to demonstrate integrations with a handful of other Authorization Servers. Do exercise
one, simply uncomment two commented out sections, both in the application.yml file:

```yaml
spring:
  security:
    oauth2:
      resourceserver:
        issuer:
```

First, find the above section in the application.yml. Beneath it, you will see sections for each Authorization Server
already prepared with the one for Okta commented out:

```yaml
#          master: #keycloak
#            issuer: http://localhost:8080/auth/realms/master
#            jwk-set-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
          okta:
            issuer: https://dev-805262.oktapreview.com/oauth2/default
            jwk-set-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/keys
```

Comment out the `okta` section and uncomment the desired section.

Second, find the following section, which the sample needs in order to retreive a valid token from the Authorization
Server:

```yaml
#  ### keycloak
#  token-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/token
#  token-body:
#    grant_type: client_credentials
#  client-id: service
#  client-password: 9114712b-be55-4dab-b270-04734abda1c4
#  container:
#    config-file-name: keycloak.config
#    docker-file-name: keycloak.docker
  ### okta
  token-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/token
  token-body:
    grant_type: client_credentials
  client-id: 0oaf5u5g4m6CW4x6z0h7
  client-password: HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv
```

Comment out the `okta` section and uncomment the desired section.

=== How can I test with my own Authorization Server instance?

To test with your own Okta or other Authorization Server instance, simply provide the following information:

```yaml
spring.security.oauth2.resourceserver.issuer.name.uri: the issuer uri
spring.security.oauth2.resourceserver.issuer.name.jwk-set-uri: the jwk key uri
```

And indicate, using the sample.provider properties, how the sample should generate a valid JWT token:

```yaml
sample.provider.token-uri: the token endpoint
sample.provider.token-body.grant_type: the grant to use
sample.provider.token-body.another_property: another_value
sample.provider.client-id: the client id
sample.provider.client-password: the client password, only required for confidential clients
```

You can provide values for any OAuth 2.0-compliant Authorization Server.