Implementing Your Own Spring Boot Oauth2 Authorization Server

Before starting this post, please make sure that you have a conceptual understanding of how OAuth works and its terminologies. If you don't, you may want to check out this comprehensive explanation.

In the modern world, we have seen major IT organizations have their own OAuth implementation and have their own OAuth servers. If we look around, we will find that most of the applications are now powered by OAuth and guarantee your account security to a great extent. In Spring Boot applications, spring team has given support for spring security, which of course is a great way of securing your applications. But to leverage the features of single sign on (SSO) and social login, you may want to implement your own OAuth server in your Spring Boot application. The Spring team has also implemented OAuth specifications and given support to implement your standalone authorization server.

Spring Security OAuth is a separate project, and when developers started using this a lot, the Spring team decided to rewrite the whole Spring security and OAuth together, so currently, OAuth2 is in maintenance mode, and the Spring team has released resource server and client server in a single Spring security project with Spring security 5 release. The OAuth2 authorization server is in currently experimental mode and you can check this out here.

In this article, we will implement the Oauth2 authorization server, which is currently in maintenance mode. 

Getting Started

To use your own authorization server, please go ahead and create a new spring starter project and make sure your pom is similar to the one that I have.

x

<dependencies>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.security</groupId>

<artifactId>spring-security-jwt</artifactId>

<version>1.1.1.RELEASE</version>

</dependency>

<dependency>

<groupId>org.springframework.security.oauth.boot</groupId>

<artifactId>spring-security-oauth2-autoconfigure</artifactId>

<version>2.4.0</version>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-test</artifactId>

<scope>test</scope>

</dependency>

</dependencies>

Enable Authorization Support

Open your main application class and add @EnableAuthorizationServer to enable the support for Spring authorization server. 

xxxxxxxxxx

@EnableAuthorizationServer

@SpringBootApplication

public class SpringAuthorizationServerApplication {

public static void main(String[] args) {

SpringApplication.run(SpringAuthorizationServerApplication.class, args);

}

}

By default, adding @EnableAuthorizationServer enables the client credentials grant type as per OAuth specifications for your spring boot application. As discussed in this post.

Adding ClientId and Client Secret

xxxxxxxxxx

security:

 oauth2:

   client:

     client-id: clientId

     client-secret: very-strong-secret

Now, run your application and you can make a postman request like this.

localhost:8080/oauth/token?grant_type=client_credentials&scope=any

Please make sure you've added your clientId and client secret in the basic auth header of the authorization tab in postman and you get a successful response like this.

xxxxxxxxxx

{

    "access_token": "qbE0ipKzzX5FNj3OVe8LWu40T_s",

    "token_type": "bearer",

    "expires_in": 43199,

    "scope": "any"

}

Now, you can use this access token to access the protected resource. Thank you so much for giving your time to read out this article. I will be posting more articles on implementing different grant types in OAuth. This project is also available on GitHub, please click on this link.

Please note that, spring doesn't recommend to use this auth server anymore. I posted this just because I wanted to give you a picture of working with oauth in spring. Spring team as rewrote the whole security module and introduced spring security 5 with resource and client server support. They are working on authorization server but it's in experimental and once it's officially available, we will surely be posting about that.