2

I am trying to configure spring boot authorization and resource server, each on a different server. The tutorial doesn't not explain how exactly to configure the resource and authorization server on different servers.

If your Resource Server is a separate application then you have to make sure you match the capabilities of the Authorization Server and provide a ResourceServerTokenServices that knows how to decode the tokens correctly.[What does that mean and how to do this ?]

As with the DefaultTokenServices and the choices are mostly expressed through the TokenStore (backend storage or local encoding). An alternative is the RemoteTokenServices which is a Spring OAuth features (not part of the spec) allowing Resource Servers to decode tokens through an HTTP resource on the Authorization Server (/oauth/check_token). RemoteTokenServices are convenient if there is not a huge volume of traffic in the Resource Servers (every request has to be verified with the Authorization Server), or if you can afford to cache the results. To use the /oauth/check_token endpoint you need to expose it by changing its access rule (default is "denyAll()") in the AuthorizationServerSecurityConfigureAs with the Authorization Server, you can often use.

As I understad there is a suggested solution that the resource server call authorization serve endpoints but as quoted above, this can be done only if there is not huge volume of traffic in the resource servers, but what about if there is actually ?

Adelin
  • 18,144
  • 26
  • 115
  • 175
  • Do you use the same database for authentication server and resource server? – dur Nov 27 '17 at 13:17
  • @dur no I don't ... do you mean that one the ways is to share the same DB ? – Adelin Nov 27 '17 at 20:44
  • 1
    Yes, I think it is the easiest way. Another option could be JWT. – dur Nov 27 '17 at 21:20
  • I have a sample code that can answer your question - https://github.com/OhadR/oAuth2-sample. you can find here all 3 components, each is a separate WAR, can be deployed on a different machine with its own servlet container (e.g. Tomcat) – OhadR Apr 09 '18 at 10:23

2 Answers2

2

Let's say you have an Auth server, a Resource server and a Client App. You can set up a public JWT key to validate incoming tokens. What is that means is your user gives his username&password to Auth server via Client App to get a valid token and this token is signed by a public key in Auth server. Then every Client App calls to Resource server needs to provide that signed token and your Resource server application uses the public key to validate the incoming token instead of calling Auth Server every time.

Yusuf
  • 329
  • 3
  • 12
1

Add this bean to your resource server and you can secure multiple resource api with single authorization server :

 @Primary
    @Bean
    public RemoteTokenServices tokenService() {
        RemoteTokenServices tokenService = new RemoteTokenServices();
        tokenService.setCheckTokenEndpointUrl(
          "http://localhost:8080/spring-security-oauth-server/oauth/check_token");
        tokenService.setClientId("fooClientIdPassword");
        tokenService.setClientSecret("secret");
        return tokenService;
    }
Amit Patel
  • 134
  • 2
  • 17