Spring MVC application and OAuth2 authorization

Question

I need to create authorization using oauth2 service. I need to get token from it and than use this token when accessing resources(REST services). How I can achive that? What is the start point? It would be greate to see examples.

Answer 1

As when you type SpringMVC OAuth in Google the first SOF question is this one and the existing answer is not very detailed (everything is done via annotations .. no details of what's behind the scene), despite the question is old I give a more detailed answer.

To bridge together SpringMVC and OAuth, you need to use one of the two flows that authenticate a webapplication with Oauth : the password (or resource owner password) flow or the implicit flow.

Using the password flow, you will have your own login page (in your SpringMVC application) and send the credentials to the authorization server (the OAuth server) to validate them. The authorization server can be built with Spring Security OAuth or can be Google one's. You can use this example to help you to make this : https://github.com/skate056/spring-security-oauth2-google you need to configure specific filter that will use a RestTemplate to communicate with the Authorization server.

If you want to use the implicit flow (better solution because it's more secure : no credentials fly between your application and the authorization server), it's simpler, you can follow these basic steps :

Spring security context :

 <http auto-config="true" use-expressions="true">    
<intercept-url pattern="/login.do" access="permitAll"/>
    <intercept-url pattern="/**" access="isAuthenticated()" />

<form-login 
    login-page="http://authserver/uaa/oauth/authorize?response_type=token&amp;client_id=acme&amp;scope=internal&amp;redirect_uri=http://myserver/myappli/login.do" 
    authentication-failure-url="/login.do?login_error=1"  
/>
    <logout logout-url="/logout.do" logout-success-url="/login.do" />
    <custom-filter ref="oauth2ClientContextFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
    <custom-filter ref="oAuth2AuthenticationProcessingFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
</http>

<global-method-security pre-post-annotations="enabled"/>

<beans:bean id="oauth2ClientContextFilter" class="org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter" />
<beans:bean id="oAuth2AuthenticationProcessingFilter" class="fr.loicmathieu.auth.oauth.ImplicitFlowOAuthProcessingFilter">
    <beans:constructor-arg name="defaultFilterProcessesUrl" value="/register_token"/>
    <beans:property name="authenticationManager" ref="theAuthenticationManager" />
</beans:bean>

The authentication manager is relative to your specific application, it can load information of the user from the Authorization Server using the get token info endpoint, load the information of the user from a LDAP, or even from the token itself if using JWT.

My implementation of ImplicitFlowOAuthProcessingFilter is very basic it creates an authentication object from the token, this authentication object will then be used by your AuthenticationProvider to retrieve the token and do whatever you want with it :

public class ImplicitFlowOAuthProcessingFilter extends AbstractAuthenticationProcessingFilter{

    public ImplicitFlowOAuthProcessingFilter(String defaultFilterProcessesUrl) {
        super(defaultFilterProcessesUrl);
    }

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException{
        String token = request.getParameter("access_token");
        return this.getAuthenticationManager().authenticate(new OAuth2TokenAuthentication(token));
    }

Last trick is the login page, the default implementation of the Authentication Server of Spring Security OAuth append the access token to the # part of the ULR, this part is not available in the server, so I use a login page that will move the token from the # part to an access_token request parameter and redirect to a register_token URL :

1. The authorization server redirect to http://myserver/myapplication/login.do#access_token=
2. The login page, via JavaScript, read the hash of the URL and redirect to http://myserver/myapplication/register_token?access_token=
3. Finally, my ImplicitFlowOAuthProcessingFilter will read this parameter, get the token, build the authentication object that will be used by the authentication manager

Hope this will help someone.

Loïc

Answer 2

Loads of samples here: https://github.com/spring-projects/spring-security-oauth/tree/master/samples and here: https://github.com/spring-projects/spring-security-oauth/tree/master/tests/annotation.