What is OAuth2-based authentication and authorization in Spring

OAuth2 allows third-party applications to receive a limited access to an HTTP service which is either on behalf of a resource owner or by allowing a third-party application obtain access on its own behalf. Thanks to OAuth2, service providers and consumer applications can interact with each other in a secury way.

Workflow

There are a couple of steps that are taken before the user’s protected data can be accessed from external applications.

1. The user is taken to the service provider server
   1. e.g. Facebook or LinkedIn
2. The user has to give permission to the external application to be able to access resources such as reading or even writing  in relation to his/her data.
3. The access token is being sent by the authorization server to the consumer app.
4. Now, the external app can access the user’s protected data from the resource server.

Terminology of different Roles

In OAuth2, there are 4 roles:

1. Resource Owner
   1. the user
2. Resource Server
   1. the server that hosts the protected resources and provides access to it based on the access token
3. Client
   1. the external app that seeks permission
4. Authorization Server
   1. issues the access token after having authenticated the user

Different tokens

There are 2 types of tokens:

1. Access token
   1. provided by the authorization server based on the user authentication
   2. allows the user data be accessed by a third-party application
2. Refresh token
   1. used to acquire new access token when the original token expires, hence the name
   2. due to security reasons however, it is not always possible to obtain this token

@EnableOAuth2Sso

@Configuration
@EnableZuulProxy
@EnableOAuth2Sso
@Order(value = 0)
public class AppConfiguration extends WebSecurityConfigurerAdapter {
 
    @Autowired
    private ResourceServerTokenServices resourceServerTokenServices;
 
    @Override
    public void configure(HttpSecurity http) throws Exception { 
            http.csrf()
            .disable()
            .authorizeRequests()
            .antMatchers("/auth-server/**", "/login")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .logout()
            .permitAll()
            .logoutSuccessUrl("/");
    }
}

The @EnableOAuth2Sso annotation notifies Spring to conifugre an OAuth2TokenRelayFilter. This filter retrieves already obtained access tokens from the user’s HTTP sessions and populates them.

The @Order annotation’s job is to make sure that Filters that have been created by our WebSecurityConfigurerAdapter are with priority to Filters that have been created by another WebSecurityConfigurerAdapter.

@EnableResourceServer

Now, let’s set up our resource server.

@SpringBootApplication
@EnableResourceServer
@Controller
@RequestMapping("/")
class ResourceServerImplementation {
 
    public static void main(String[] args) {
        SpringApplication.run(ResourceServerImplementation.class, args);
    }
 
    @RequestMapping(method = RequestMethod.GET)
    @ResponseBody
    public String greetPrincipal(Principal principal) {
        return "Greetings, " + principal.getName();
    }
}

This application returns the name of the Principal that initiated that request. Again, we need a valid access token to be able to access the endpoint of our Resource Server.

These 2 code snippets are taken from here.