Oauth2 Step By Step Save
Step by step code examples for blog post on voxxed.com. Each branch is a working example. Create your own custom OAuth2 configuration and play with spring-boot and spring-oauth
This repo has been started by @syjer as oauthtest, to cleanup history and make it cleaner for a blog post I created this new Repo
This example is based on the following resources:
- http://stytex.de/blog/2016/02/01/spring-cloud-security-with-oauth2/
- https://github.com/spring-cloud-samples/authserver/blob/master/src/main/java/demo/AuthserverApplication.java
- http://projects.spring.io/spring-security-oauth/docs/oauth2.html
- https://github.com/spring-guides/tut-spring-boot-oauth2/
- https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2
- https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2-vanilla
- https://spring.io/blog/2015/11/30/migrating-oauth2-apps-from-spring-boot-1-2-to-1-3
How to test:
-
$
cd authorization-server;mvn spring-boot:run -
$
cd resource-server;mvn spring-boot:run -
Obtain token with: $
curl service-account-1:service-account-1-secret@localhost:8080/auth/oauth/token -d grant_type=client_credentialsand save it in TOKEN=....... -
Access the resource with: $
curl -H "Authorization: Bearer $TOKEN" -v localhost:9090 -
Update the resource with: $
curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -X POST -d "Bonjour" -v localhost:9090 -
$
cd webapp-server;mvn spring-boot:run -
go to localhost:9999 and use the UI :).
You can load the message from backend server, then submit a new one and try to reload. All calls are using JWT, AS is called only the first time, RS checks the client has correct scopes. If token expires it automatically goes to AS to get a new one.
For generating your own key (as written in the stytex.de blog):
keytool -genkeypair -alias jwt -keyalg RSA -dname "CN=jwt, L=Lugano, S=Lugano, C=CH" -keypass mySecretKey -keystore jwt.jks -storepass mySecretKey
copy jwt.jks in authorization-server/src/main/resources/jwk.jks
Notes:
- Resource server fetch the pubkey of the authentication server, so in production it must be over a secure channel :)
- If the authentication server is down, and a resource server is launched, the fetch of the public key will fail (but a log message will be written), see https://github.com/spring-projects/spring-security-oauth/issues/734 issue
Open Source Agenda Badge
