7 Steps to implement OAuth 2 in Spring Boot with Spring Security

7 Steps to implement OAuth 2 in Spring Boot with Spring Security

What an evening!

Too much hot and humid. Total disaster!

So this kind of evening is perfect for an interesting topic.OAuth 2. I guess most of you guys know what the heck it does. But I like to explain, a little. So let’s set it up.

  1. Overview

OAuth 2 is an authentication and authorization framework, a security concept for restAPI, about how you authenticate and authorize a user to get access to data from your resource server.

It has four main roles.

  • Resource Owner (That means, You)
  • Client (Means the application you’re using, that accesses your data on the resource server)
  • Resource Server (Where your data are stored)
  • Authorization Server (Responsible for authenticating your identity and gives you an authorization token, so that you can request resource server for your data with this token. this token is called access_token)

Authorization server will provide you two tokens if you user refresh_token as grant type. Now, what the hell is refresh token? What is the difference between access_token and refresh_token?

Well, the name says it all.

Access Token And Refresh Token:

This two types of token are provided by your authorization server. access_token is responsible for accessing your resources from the resource server. This token usually has a little validity time. You can access your data with this token a certain time before it get’s expired. So after it expires, you need to request Authorization server for a new access_token with your refresh token, client id, and client secret, so that you don’t need to send user credentials again and again. Refresh token has more validation time than Access Token. Typically 7-90 days, depends on you.

So we can say,

  1.  The responsibility of access token is to access data before it gets expired.
  2. The responsibility of Refresh Token is to request for a new access token when the access token is expired.

What will happen if my tokens are compromised?

Since you can get access to your data with access_token, if it’s compromised then the hacker will get a very limited ability to get access to resources since it’ll be expired very soon.

If the refresh token is compromised, your resources are still safe because client id and client secret are needed to request for aceess_token, to get access to resources.

Well, now that we got the basic idea about OAuth 2 framework workflow. We’re gonna implement oAuth2 Authorization using Spring Security on Spring Boot.

2. Dependency

Add spring-security-oauth2 dependency on pom.xml.

If you use Gradle

3. Resource Server Configuration

Create a bean ResourceServerConfig that extends ResourceServerConfigurerAdapter and override configure(HttpSecurity security) method. Annotate it with @EnableResourceServer annotation. Here I’ve configured resource server for this endpoints starting with /api/v1.

4. Authorization Server Configuration

Extend AuthorizationServerConfigurerAdapter and override three configure methods.

Here we’ve used an in-memory client detail but it serves its purpose. Client ID here is android-client and Client Secret is android-secret. 

We’ve added three grant_type that means the client can get access_token by client username and password or refresh_token. If refresh_token wasn’t mentioned here the authorization server would only provide access token. We had to request with username and password for access token every time it got expired.

on the third configure(AuthorizationServerEndpointsConfigurer e) method, we’ve provided our little AuthenticationManager bean so that it can authenticate our user using userDetailsService. But wait, we’ve used Spring Security AuthenticationManager but haven’t provided our UserDetailsService yet. So please autowire AuthenticationManagerBuilder class and provide it an userDetailsService. Like this,

You can write this method below the main method or in any configuration bean that executed before AuthenticationManager gets injected in AuthorizationServerConfig class.

5. UserDetailsService

6. Additional Configurations

If we want additional information with access tokens we can use TokenEnhancer class to do that.

Then user the instance of this class to void configure(AuthorizationServerEndpointsConfigurer endpoints) method like this

That’s it for now. We’ve implemented oAuth2 in using Spring Security.

7. Endpoints:

The client sends a request for authorization and authorization server responds with an access token and a refresh token.

Authorization Server Response:

Next time we can send a request for access_token with refresh token. This time we don’t need user email and password.
Like that:

Now we can get access to the resource with that access token if it’s valid.

Have any Question or Comment?

One comment on “7 Steps to implement OAuth 2 in Spring Boot with Spring Security


I am getting error:
“error”: “server_error”,
“error_description”: “Handler dispatch failed; nested exception is java.lang.StackOverflowError”
and exception is: Resolved exception caused by Handler execution: org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is java.lang.StackOverflowError
can you give me solution?

Comments are closed.

5 mistakes Java developers make that prevent them from working on awesome projects

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 806 other subscribers

%d bloggers like this: