Last November 8 Spring officials have strongly recommended to use Spring Authorization Server to replace the outdated Spring Security OAuth2.0. With not much time left before Spring Security OAuth2.0 ends its lifecycle, it’s time to make a change. Now that Spring Authorization Server is in production readiness, it’s time to learn it.
The current Spring Security architecture
Spring Security 5.x modularizes OAuth2.0 Client and OAuth2.0 Resource Server. Spring Security is a mandatory dependency.
If you want to add OAuth2.0 Client support, you can add the following dependency.
If you need OAuth2.0 Resource Server support, you can add the dependency.
Now if you want to add OAuth2.0 Authorization Server support, you can add the following dependency.
Spring Authorization Server
Our focus is back on Spring Authorization Server, which is currently production-ready. After a few days of research, a simple DEMO has been created to help developers who wish to learn the framework to understand it.
The flow of the DEMO
This DEMO will demonstrate the authorization code pattern of OAuth 2.0 (
authorization_code). Here is divided into two projects ;
- oauth2-client project, as the name implies as OAuth2.0 Client, initiates the authorization request to the authorization server.
- oauth2-server project, an authorization server built on Spring Authorization Server, which provides authorization services.
The user first initiates a request to the oauth2-client via the
OAuth2AuthorizationRequestRedirectFilter and assembled into the following request link to the authorization server oauth2-server to initiate authorization code authorization.
The authorization server oauth2-server intercepts the request and first checks if the current user who initiated the request is authenticated. If not authenticated it responds with a 401 status code, redirects to the authorization server’s login page, and then the user performs the login.
After successfully logging in, a 302 redirect is made and the authorization request
/oauth2/authorize continues to be executed. This will determine whether the authorization request requires user authorization confirmation, in this DEMO user authorization is required to be confirmed twice and will be redirected to the following page.
After agreeing to the authorization, the authorization server calls
redirect_uri with a
state to make a request to oauth2-client:
OAuth2AuthorizationCodeGrantFilter of oauth2-client intercepts the
redirect_uri and initiates the
/oauth2/token request to the authorization server.
The authentication method used here is
client-authentication-method: client_secret_basicmethod, see OAuth2.0 protocol for details.
The authorization server returns the Token to the client to complete the request, and the authentication client information is as follows.
This completes the entire authorization code process based on Spring Authorization Server.