Recently I started learn how to configure spring boot with oauth 2.0 + jwt, and I have a question: is it possible to use spring boot security + jwt avoiding oauth 2.0?
Asked
Active
Viewed 3,868 times
1 Answers
9
Yes, it is possible to use JWT functionalities without the usage of standardized OAuth 2.0 flows. Here is a good example implementation to help you out. Another example can be found at AUTH0. You can use for example this dependency:
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-jwt -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-jwt</artifactId>
<version>1.0.9.RELEASE</version>
</dependency>
git-flo
- 1,044
- 13
- 23
-
1I would like to ask if it is a good practise to use JWT without OAuth 2.0 ? – Peter S. Dec 16 '19 at 22:34
-
@PeterS. Yes, perfectly fine. OAuth is a protocol which contains certain guidelines and rules. Implementation of OAuth can be done using JWT. Basically OAuth needs token to drive the process. And JWT (JSON web token) is just a token. The advantage of using JWT is, the user doesn't have to give username and password each time if he is providing the token (which is **signed** by the an authentication server). There can be only one authentication server and other servers will just recognize the signature (for authentication) and claims (for authorization). – Prajjwal Gupta Jun 18 '20 at 12:34
-
9Unfortunately spring-security-jwt is now deprecated, and refers developers to Spring Security OAuth2 (part of Spring Security 5.2.x). Their documentation does not have any examples of using JWT without at least having an issuer service to distribute the signing key. – Bampfer Mar 17 '21 at 20:42
-
This is sad. Really hope to have a sample that demonstrate handle jwt without involving oauth2 as well – Nick Wills Jan 03 '23 at 15:01