spring

Last November 8 Spring officials have strongly recommended to use Spring Authorization Server to replace the outdated Spring Security OAuth2.0. With not much time left before Spring Security OAuth2.0 ends its lifecycle, it’s time to make a change. Now that Spring Authorization Server is in production readiness, it’s time to learn it.

The current Spring Security architecture

Spring Security 5.x modularizes OAuth2.0 Client and OAuth2.0 Resource Server. Spring Security is a mandatory dependency.

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

If you want to add OAuth2.0 Client support, you can add the following dependency.

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

If you need OAuth2.0 Resource Server support, you can add the dependency.

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-oauth2-resource-server</artifactId>
</dependency>

Now if you want to add OAuth2.0 Authorization Server support, you can add the following dependency.

1
2
3
4
5
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-authorization-server</artifactId>
    <version>0.2.1</version>
</dependency>

Spring Authorization Server

Our focus is back on Spring Authorization Server, which is currently production-ready. After a few days of research, a simple DEMO has been created to help developers who wish to learn the framework to understand it.

The flow of the DEMO

This DEMO will demonstrate the authorization code pattern of OAuth 2.0 (authorization_code). Here is divided into two projects ;

  • oauth2-client project, as the name implies as OAuth2.0 Client, initiates the authorization request to the authorization server.
  • oauth2-server project, an authorization server built on Spring Authorization Server, which provides authorization services.

The user first initiates a request to the oauth2-client via the /oauth2/authorization/{registrationId} endpoint.

1
2
GET /oauth2/authorization/felord HTTP/1.1
Host: 127.0.0.1:8080

Intercepted by OAuth2AuthorizationRequestRedirectFilter and assembled into the following request link to the authorization server oauth2-server to initiate authorization code authorization.

1
2
GET /oauth2/authorize?response_type=code&client_id=felord-client&scope=message.read%20message.write&state=0CI0ziUDEnqMgqW0nzRNRCzLrs-9IMbqJzGZ47Zb0gY%3D&redirect_uri=http://127.0.0.1:8080/foo/bar HTTP/1.1
Host: localhost:9000

The authorization server oauth2-server intercepts the request and first checks if the current user who initiated the request is authenticated. If not authenticated it responds with a 401 status code, redirects to the authorization server’s login page, and then the user performs the login.

1
2
3
4
5
POST /login HTTP/1.1
Host: localhost:9000
Content-Type: application/x-www-form-urlencoded

username=felord&password=password&_csrf=301a7baf-9e9a-4b17-acd4-613c809bf7f5

After successfully logging in, a 302 redirect is made and the authorization request /oauth2/authorize continues to be executed. This will determine whether the authorization request requires user authorization confirmation, in this DEMO user authorization is required to be confirmed twice and will be redirected to the following page.

oauth2

After agreeing to the authorization, the authorization server calls redirect_uri with a code and state to make a request to oauth2-client:

1
2
GET /foo/bar?code=MCSJnvhXNyjilBaCyw1sCrrArWk1bzsEdxe5Z3EFbkdLwp8ASmum62n4M7Tz45VNpp_16IWboBnXlgG3LEfgN7MQqkf0-vVZufGrQpvRioRcBbesAiawMt4cspTk06ca&state=-fRunxjpG0aziPXnfcW1Iw1Fy_5_NwlUAgxABPOfAb8= HTTP/1.1 
Host: 127.0.0.1:8080

The OAuth2AuthorizationCodeGrantFilter of oauth2-client intercepts the redirect_uri and initiates the /oauth2/token request to the authorization server.

1
2
3
POST /oauth2/token?grant_type=authorization_code&code=MCSJnvhXNyjilBaCyw1sCrrArWk1bzsEdxe5Z3EFbkdLwp8ASmum62n4M7Tz45VNpp_16IWboBnXlgG3LEfgN7MQqkf0-vVZufGrQpvRioRcBbesAiawMt4cspTk06ca&redirect_uri=https://127.0.0.1:8080/foo/bar HTTP/1.1
Host: localhost:9000
Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ=

The authentication method used here is client-authentication-method: client_secret_basic method, see OAuth2.0 protocol for details.

The authorization server returns the Token to the client to complete the request, and the authentication client information is as follows.

image

This completes the entire authorization code process based on Spring Authorization Server.

Reference https://felord.cn/spring-authorization-server-trial.html