This sample demonstrates integrating Resource Server with a mock Authorization Server, though it can be modified to integrate with your favorite Authorization Server.
With it, you can run the integration tests or run the application as a stand-alone service to explore how you can secure your own service with OAuth 2.0 Opaque Bearer Tokens using Spring Security.
To run the tests, do:
./gradlew integrationTest
Or import the project into your IDE and run OAuth2ResourceServerApplicationTests
from there.
By default, the tests are pointing at a mock Authorization Server instance.
The tests are configured with a set of hard-coded tokens originally obtained from the mock Authorization Server, and each makes a query to the Resource Server with their corresponding token.
The Resource Server subsquently verifies with the Authorization Server and authorizes the request, returning the phrase
Hello, subject!
where "subject" is the value of the sub
field in the JWT returned by the Authorization Server.
To run as a stand-alone application, do:
./gradlew bootRun
Or import the project into your IDE and run OAuth2ResourceServerApplication
from there.
Once it is up, you can use the following token:
export TOKEN=00ed5855-1869-47a0-b0c9-0f3ce520aee7
And then make this request:
curl -H "Authorization: Bearer $TOKEN" localhost:8080
Which will respond with the phrase:
Hello, subject!
where subject
is the value of the sub
field in the JWT returned by the Authorization Server.
Or this:
export TOKEN=b43d1500-c405-4dc9-b9c9-6cfd966c34c9
curl -H "Authorization: Bearer $TOKEN" localhost:8080/message
Will respond with:
secret message
_In order to use this sample, your Authorization Server must support Opaque Tokens and the Introspection Endpoint.
To change the sample to point at your Authorization Server, simply find this property in the application.yml
:
spring:
security:
oauth2:
resourceserver:
opaque:
introspection-uri: ${mockwebserver.url}/introspect
introspection-client-id: client
introspection-client-secret: secret
And change the property to your Authorization Server’s Introspection endpoint, including its client id and secret:
spring:
security:
oauth2:
resourceserver:
opaque:
introspection-uri: ${mockwebserver.url}/introspect
And then you can run the app the same as before:
./gradlew bootRun
Make sure to obtain valid tokens from your Authorization Server in order to play with the sample Resource Server.
To use the /
endpoint, any valid token from your Authorization Server will do.
To use the /message
endpoint, the token should have the message:read
scope.