In this chapter, we will introduce the following recipes:
- Use authorization codes to grant types to protect resources
- Support implicit grant type
- Use the "Resource Owner Password Credential" grant type as a method of OAuth 2.0 migration
- Configure the client credential grant type
- Add support for refresh token
- Use a relational database to store tokens and customer details
- Use Redis as token storage
- Implement customer registration
- Break the OAuth 2.0 provider in the middle
- Use Gatling to load test the token verification process using a shared database
Introduction
Today, we have some scenarios that require applications to interact with a large number of services, and must also provide services distributed throughout the network in the form of APIs. Nonetheless, users of our application are usually allowed to grant permissions to third-party applications, in which case OAuth 2.0 proves to be a good choice.
In this chapter, you will learn how to use all the grant types described in the OAuth 2.0 specification to create, configure and distribute OAuth 2.0 providers covering different scenarios, and how to use different access token management strategies (NoSQL database) through relational databases and Redis ). All recipes in this chapter will be implemented using Spring Security OAuth2. At the time of writing, this version is 2.2.0.RELEASE version (please check the official documentation about Spring Security OAuth2 in http: // projects. Spring.io/spring -security-oauth / docs / oauth2.html). Because of the large amount of integration between applications today, it is important to learn how to configure your own OAuth 2.0 provider. In addition, by reading this chapter, you can actually apply all the OAuth 2.0 details in the specification by using Spring Security OAuth2.
Remember to use TLS / SSL in production to always protect all transmission data between the client and the OAuth 2.0 provider. All recipes in this book must take this into consideration, so when running production OAuth 2.0 applications, make sure to use TLS / SSL.
Use authorization codes to grant types to protect resources
This recipe shows you how to configure the most famous OAuth 2.0 authorization type, which is the authorization code authorization type. After configuring an OAuth 2.0 provider consisting of an authorization server and a resource server, the application built with this recipe will provide all necessary authorizations of the resource owner for resource usage (resources can be obtained through APIs protected by the resource server).
be prepared
To run this recipe, you can use your preferred IDE, and Java 8 and Maven must be installed. To run the example, I recommend that you use the command line tool CURL, or install Postman, an application that allows HTTP requests to be created in an intuitive manner. If you want to use Postman, you can download the installation file from https://www.getpostman.com/. This recipe will use Spring Security OAuth2 Framework and keep it as much as possible, we will not add any database support for the time being. In other words, we will use the memory configuration to store client details and access tokens. The source code for this recipe can be obtained from https://github.com/PacktPublishing/OAuth-2.0-Cookbook/tree/master/Chapter02/auth-code-server.
How to do it
The following steps will guide you to configure the authorization server and resource server using Spring Security OAuth2, thus avoiding you having to write the OAuth 2.0 provider from scratch (this will be very useless and prone to security failures):
Add the following note to the OAuth2AuthorizationServer class and extend the AuthorizationServerConfigurerAdapter class from the Spring Security OAuth2 project:
Open the UserController.java class and add the @Controller annotation at the beginning of the class declaration, as shown below:
You may notice that Spring provides us with some annotations, such as @Controller, @Service and @Component. Some annotations (such as @Service and @Component) only define the declared class as a Spring managed bean (managed by Spring, allowing the use of dependency injection mechanisms). The @Controller annotation is a specialization of the @Component annotation, which adds semantics to Web controllers that can map endpoints to Java source code.
Now, let's add the corresponding method, which will provide the endpoints protected by OAuth 2.0, as shown in the following code (import the User class from the package org.springframework.security.core.userdetails):
After the endpoint is protected by OAuth 2.0, let's create the OAuth 2.0 authorization server configuration by creating the OAuth2AuthorizationServer class in the com.packt.example.authcodeserver.config package.
To configure all client details data, override the configure method, which allows you to customize the ClientDetailsServiceConfigurer instance:
At present, with the permission granted by the user, the application is ready to start issuing access tokens. But in order to allow access to the user's resources (the resource owner configuration file for this recipe), we need to create a resource server configuration by declaring the OAuth2ResourceServer class in the same package as OAuth2AuthorizationServer.
Then, add the following comment for OAuth2ResourceServer at the class level, as shown below:
In order to start protecting the user's profile endpoint, please add the following configuration method in the OAuth2ResourceServer class:
The application is ready to issue access tokens and verify access tokens through the use of APIs.
