1

I`m new to OAuth 2.0 and am trying to develop a application using a third party OAuth provider with Authorization Code grant flow as ny Authorization Server and Spring Security. This provider gives me two endpoints /authorize and /token and those two, after the user authorizes its access, will return a access token.

So far, I have secured the "/" endpoint, so the application redirect the user to the authorization page and then, in the callback endpoint, store the token so it can be validated by a filter in each request.

But, as the application is mainly a set of REST API's, we want to be able to test it using Postman, with that said, on Postman, I am getting the token by setting the Authorization as OAuth 2.0 and requesting the token directly from the third party endpoints but, as Postman have its own callback URI, my application doesn`t store the token generated.

So, my two questions on this are:

  1. Using /callback endpoint to store the token and validating it before each request by a filter is the common way of doing it?
  2. To use Postman, should I create an endpoint for storing the token generated outside the application context or should I create an Authorization Server of my own as an additional layer on top of this third party AS?
Matheus Silva
  • 13
  • 4

2 Answers2

0

Since your application is a set of REST API's, you need to make it as a Resource Server (in terms of OAuth2).
Resource Server doesn't perform authentication itself, it only validates a token from Authorization header (Resource Server in a nutshell).

You can find an example in Spring Security samples: oauth2resourceserver

Roman Shcherbakov
  • 176
  • 4
  • Thanks for the OAuth link, it explained a lot, but as it seems, OAuth spec isn't specific in whether the Authorization Server should or not provide a Token Validating endpoint. That being said, when using the browser I can store the token sent in the redirectUri and store in a database and check it at each request, but, when I'm using postman for testing it, it has its own callback Uri and thus, how could I check the token validity? Or am I using Postman wrong? – Matheus Silva Apr 01 '19 at 12:34
0

I eventually come to the conclusion that I was using Postman wrong the whole time. So, by the end, we got the Token saved on the database when the user logs in and, then, return it to the caller, whether it is the Front-end application, or Postman itself. Then, in every call to the API's, the caller should include the token as Authorization on the header and a Filter on Spring will check the token against the Database.

Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
Matheus Silva
  • 13
  • 4