Reputation: 922
Spring OAuth2 explain Authorization server configuration
I am trying to implement OAuth security and met a problem that for me is not clear enough configuration class.
While implementing AuthorizationServerConfigurer i have three configurers:
ClientDetailsServiceConfigurerused to provide the way how and from where to get client details. As an example, it can be service which provides registered clients from the database.
When it comes to AuthorizationServerSecurityConfigurer and AuthorizationServerEndpointsConfigurer I am not sure what they do or how they should be configured. In the documentation it said only:
AuthorizationServerEndpointsConfigurer: defines the authorization and token endpoints and the token services.
Maybe someone can explain in simple words what these two configurers do, or what they are used for.
Upvotes: 4
Views: 11506
Answers (2)
Reputation: 1655
I am using spring-security-oauth, there is a helpful documentation maybe help you :
projects.spring.io/spring-security-oauth/docs/oauth2.html
Upvotes: 1
Reputation: 48133
AuthorizationServerConfigurer's javadoc is more informative than the linked documentation. AuthorizationServerSecurityConfigurer, as its name suggests, configures the security of the Authorization Server itself. For example you can override the OAuth endpoints security such as /oauth/token, provide an access denied handler or restrict to SSL access. Here are what the documentation says about it:
Configure the security of the Authorization Server, which means in practical terms the
/oauth/tokenendpoint. The/oauth/authorizeendpoint also needs to be secure, but that is a normal user-facing endpoint and should be secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a basic server up and running.
As for AuthorizationServerEndpointsConfigurer:
Configure the non-security features of the Authorization Server endpoints, like token store, token customizations, user approvals and grant types. You shouldn't need to do anything by default, unless you need password grants, in which case you need to provide an
AuthenticationManager.
Here is a sample from one of my projects:
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.tokenStore(jwtTokenStore())
.tokenEnhancer(tokenEnhancer());
}
Here I provided a JwtTokenStore as my TokenStore and a AuthenticationManager since I was using Password Grants.
Upvotes: 11
Related Questions
- How to implement an OAuth 2 Server
- Understanding spring-security-oauth2 @EnableAuthorizationServer
- Correctly configure spring security oauth2
- Spring Oauth2 Authorization Server
- Understanding Spring Boot's Oauth2 starter
- Spring OAuth2 security and ResourceServer configuration
- Spring OAuth2 Resource and Authorization servers
- Spring Security OAuth2 simple configuration
- How to configure spring oauth?
- Spring security OAuth2 authorization process