8

I have a spring-security-oauth2 project running smoothly with a class as Authorization server.

The client-ids, user-tokens, refresh-tokens are all managed by the database.

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
    private static String REALM = "MY_OAUTH_REALM";
    ...
    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.realm(REALM + "/client");
    }
}

Everything is working fine except that i don't have any idea what the configure method is doing. Even if i remove the complete method the oauth2 process still works fine.

What is the main use of configure method in this context and what realm is it setting here?

Please help me in understanding it.

Thanks.

Abdullah Khan
  • 12,010
  • 6
  • 65
  • 78

2 Answers2

13

  1. Purpose of configure method

AuthorizationServerConfigurerAdapter has three configure(...) methods and all three could be overridden and those serve different purposes.

In your question, you have quoted only one.

Their purpose is to provide your custom settings for Authorization Server end points, clients & security. So its up to you as how many you wish to override as there are some predefined default settings. 

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
// This can be used to configure security of your authorization server itself 
// i.e. which user can generate tokens , changing default realm etc.
// Sample code below.

// We're allowing access to the token only for clients with  'ROLE_TRUSTED_CLIENT' authority.
// There are few more configurations and changing default realm is one of those 
    oauthServer
        .tokenKeyAccess("hasAuthority('ROLE_TRUSTED_CLIENT')")
        .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// Here you will specify about `ClientDetailsService` 
// i.e. information about OAuth2 clients & where their info is located - memory , DB , LDAP etc.
// Sample code below.
}

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
// This can be used to configure security of your authorization server itself
// i.e. which user can generate tokens , changing default realm etc - Sample code below.

    // we're allowing access to the token only for clients with  'ROLE_TRUSTED_CLIENT' authority.
    // There are few more configurations and changing default realm is one of those 
    oauthServer
        .tokenKeyAccess("hasAuthority('ROLE_TRUSTED_CLIENT')")
        .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    // Here you will specify about `ClientDetailsService` i.e.
    // information about OAuth2 clients & where their info is located - memory , DB , LDAP etc.
    // Sample code below 
    clients.inMemory()
        .withClient("trusted-app")
        .authorizedGrantTypes("client_credentials", "password", "refresh_token")
        .authorities("ROLE_TRUSTED_CLIENT")
        .scopes("read", "write")
        .resourceIds("oauth2_id")
        .accessTokenValiditySeconds(10000)
        .refreshTokenValiditySeconds(20000)
        .secret("secret");
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    // Here you will do non-security configs for end points associated with your Authorization Server
    // and can specify details about authentication manager, token generation etc. Sample code below 
    endpoints
        .authenticationManager(this.authenticationManager)
        .tokenServices(tokenServices())
        .tokenStore(tokenStore())
        .accessTokenConverter(accessTokenConverter());
}

@Bean
public TokenStore tokenStore() {
    return new JwtTokenStore(accessTokenConverter());
}   

@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
    converter.setSigningKey("abcd");
    return converter;
}

@Bean
@Primary
public DefaultTokenServices tokenServices() {
    DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
    defaultTokenServices.setTokenStore(tokenStore());
    defaultTokenServices.setSupportRefreshToken(true);
    defaultTokenServices.setTokenEnhancer(accessTokenConverter());
    return defaultTokenServices;
}

  1. Purpose of @EnableAuthorizationServer

A javadoc explanation is already provided in previous answer.

In layman's language, this is to set up your token generation end point i.e. if you provide the properties security.oauth2.client.client-id and security.oauth2.client.client-secret, Spring will give you an authentication server, providing standard Oauth2 tokens at the endpoint /oauth/token

In practical scenario, what this means is that you are setting up a token generation web-application ( Layer-7 ) on top of your enterprise User LDAP or User Database and is usually a separate application from your consumer side apps ( APIs etc ).

Foolish
  • 3,952
  • 33
  • 46
Sabir Khan
  • 9,826
  • 7
  • 45
  • 98
1

If you have a look at the JavaDoc comment for @EnableAuthorizationServer you can see that it says the following;

Convenience annotation for enabling an Authorization Server (i.e. an AuthorizationEndpoint and a TokenEndpoint in the current application context, which must be a DispatcherServlet context. Many features of the server can be customized using @Beans of type AuthorizationServerConfigurer (e.g. by extending AuthorizationServerConfigurerAdapter. The user is responsible for securing the Authorization Endpoint (/oauth/authorize) using normal Spring Security features (EnableWebSecurity @EnableWebSecurity etc.), but the Token Endpoint (/oauth/token) will be automatically secured using HTTP Basic authentication on the client's credentials. Clients must be registered by providing a ClientDetailsService through one or more AuthorizationServerConfigurers.

Extending AuthorizationServerConfigurerAdapter is just used for customization of the Authorization Server. You can easily set up a functioning Authorization Server within Spring Security by Just Annotating a Bean class with @EnableAuthorizationServer

shazin
  • 21,379
  • 3
  • 54
  • 71