Spring Oauth2 ResourceServer + Oauth2 Security + Authorization Code grant flow

4 min readFeb 12, 2019

Overview

In the previous article, we implemented a Spring Oauth2 Authorization server. In this article, we are going to create an Oauth2 resource server implementing Spring Oauth2 and secure its methods using Oauth2. Also, we will test both the Authorization and Resource server using the Authorization code grant flow.

What is a Resource server?

Resource server provides protected resources. It communicates with its Authorization server to validate a request to access a protected resource. Typically the endpoints of a resource server are protected based on the oauth2 scopes and user roles.

You can find the code in GitHub repository https://github.com/coderSinol/oauth2-resource

Configure Remote Token Service

The secured methods in the resource server need to be accessed passing a token as the Authorization header or a request parameter. But the first approach is recommended considering the security concerns.

Resource server needs to validate the received token with the Authorization server. In this example, Authorization and Resource servers run as separate applications. Therefore, we will use Remote Token service in the Resource server to validate the received token with the Authorization server.

Implementation

We will implement a custom remote token service implementing Spring Oauth2 ResourceServerTokenServices interface to communicate with the Authorization server. This authorization server can be any IAM provider or the server created in previous article. You can see the loadAuthentication method is implemented to communicate with the Authorization server and return the Authentication object. The token validation is done calling /oauth/check_token endpoint in the Authorization server.

2. Configure Oauth2 Resource server

@EnableResourceServer annotation enables our Spring boot application to work as a Spring Oauth2 resource server.

Key configurations:

Set resource Id to ResourceServerSecurityConfigurer. This is a unique identifier for our application and it is useful when validating an access token.
Configure above CustomRemoteTokenService as token service for this resource server.
Set OAuth2AuthenticationManager as the AuthenticationManager of this application.

3. Enable Oauth2 authentication

Now, it is time to enable Oauth2 on our resource server and protect its endpoints. @EnableGlobalMethodSecurity annotation enables method level access validation for the resource server.

Once this config is set, we can use @PreAuthorize annotation to define what access level is required to execute a method.

We will define two controller classes with different access levels in their methods. Firstly, let's create PublicController.java which has a method getRandomMessage method without any access restrictions.

Secondly, we will create UserController.java and define its method getOauth2Principal. This method needs Oauth2 “read” scope to return a successful response. When we call this endpoint user/profile, we must pass an access token in the header or as a request parameter to get a successful response.

We can use @PreAuthorize annotation with Spring Expression Language (SpEL) to define the required access level.

4. Test it

We will use the Chrome Postman app to test the Resource server using the Authorization Code grant flow. Postman app act as an external client application and resource owner’s user-agent which tries to access a Protected Resource behalf of a user.

Steps in Authorization Code grant flow (refer https://tools.ietf.org/html/rfc6749#section-4 for more info)