28.1 OAuth2
If you have spring-security-oauth2
on your classpath you can take advantage of some auto-configuration to make it easy to set up Authorization or Resource Server. For full details, see the Spring Security OAuth 2 Developers Guide.
28.1.1 Authorization Server
To create an Authorization Server and grant access tokens you need to use @EnableAuthorizationServer
and provide security.oauth2.client.client-id
and security.oauth2.client.client-secret]
properties. The client will be registered for you in an in-memory repository.
Having done that you will be able to use the client credentials to create an access token, for example:
$ curl client:secret@localhost:8080/oauth/token -d grant_type=password -d username=user -d password=pwd
The basic auth credentials for the /token
endpoint are the client-id
and client-secret
. The user credentials are the normal Spring Security user details (which default in Spring Boot to “user” and a random password).
To switch off the auto-configuration and configure the Authorization Server features yourself just add a @Bean
of type AuthorizationServerConfigurer
.
28.1.2 Resource Server
To use the access token you need a Resource Server (which can be the same as the Authorization Server). Creating a Resource Server is easy, just add @EnableResourceServer
and provide some configuration to allow the server to decode access tokens. If your application is also an Authorization Server it already knows how to decode tokens, so there is nothing else to do. If your app is a standalone service then you need to give it some more configuration, one of the following options:
security.oauth2.resource.user-info-uri
to use the/me
resource (e.g.https://uaa.run.pivotal.io/userinfo
on PWS)security.oauth2.resource.token-info-uri
to use the token decoding endpoint (e.g.https://uaa.run.pivotal.io/check_token
on PWS).
If you specify both the user-info-uri
and the token-info-uri
then you can set a flag to say that one is preferred over the other (prefer-token-info=true
is the default).
Alternatively (instead of user-info-uri
or token-info-uri
) if the tokens are JWTs you can configure a security.oauth2.resource.jwt.key-value
to decode them locally (where the key is a verification key). The verification key value is either a symmetric secret or PEM-encoded RSA public key. If you don’t have the key and it’s public you can provide a URI where it can be downloaded (as a JSON object with a “value” field) with security.oauth2.resource.jwt.key-uri
. E.g. on PWS:
$ curl https://uaa.run.pivotal.io/token_key {"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"}
Warning | |
---|---|
If you use the security.oauth2.resource.jwt.key-uri the authorization server needs to be running when your application starts up. It will log a warning if it can’t find the key, and tell you what to do to fix it. |