Authentication with OAuth2 in Webflux Spring

Question

I'm developing an app, in which i want to have role-based access control, unfortunately I didn't find any good example with spring webflux usage. My oauth2.client.provider is Okta.

Here is my SecurityWebFilterChain:

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        return http
                .authorizeExchange()
                .pathMatchers("/*").permitAll()
                .pathMatchers("/admin").hasRole("admins");
}

In this article I've found that I should configure resource server. Give me a hint how to do it,please.

Answer 1

You'll need to use a milestone release of Spring Boot 2.1 for this to work. M3 or higher should do the trick. Add the necessary dependencies for Spring Security 5.1 OIDC support:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

Then create an Okta OIDC "Web" app and copy your settings into src/main/resources/application.yml.

spring:
  security:
    oauth2:
      client:
        provider:
          okta:
            issuer-uri: https://dev-737523.oktapreview.com/oauth2/default
        registration:
          login:
            okta:
              client-id: {clientId}
              client-secret: {clientSecret}
              scope: openid email profile

Restart your app, go to http://localhost:8080, and you should be redirected to Okta to log in. Enter valid credentials, and you'll be redirected back to your app after a successful log in.

To limit access based on roles, you'll need to create groups for your users.

Create a ROLE_ADMIN and ROLE_USER group (Users > Groups > Add Group) and add users to them. You can use the account you signed up with, or create a new user (Users > Add Person). Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it “groups” or “roles”, and include it in the ID Token. Set the value type to “Groups” and set the filter to be a Regex of ".*" (to include them all).

Then you should be able to use something like:

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    return http
            .authorizeExchange()
            .pathMatchers("/*").permitAll()
            .pathMatchers("/admin").hasAuthority("ROLE_ADMIN");
}

You should also be able to use @PreAuthorize as mentioned in this blog post.