Spring-Security-Oauth2.0: Is there a default oauth db schema which comes along with the library? How can we customize it?

Question

I am learning about spring-security-oauth. I used the schema given here. I have Authorization server and resource server in same application.

In Authorization server configuration, we tell which jdbc data-source to use, but where do we tell that these specific tables are to be used for all info? Is there any default config which comes with spring library? Can we customize the tables? And, lastly, what are the uses of all these tables?

I want to know how these tables are getting used in our configuration.

I have gone through some of these examples:

https://www.javatips.net/api/lolibox-master/lolibox-server/src/main/java/io/loli/box/oauth2/AuthorizationServerConfiguration.java

https://medium.com/@supunbhagya/spring-oauth2-authorization-server-jwt-jpa-data-model-1e458dcdac04

My Authorisation server config looks like this:

public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    Environment env;

    @Autowired
    DataSource dataSource;

    @Autowired
    @Qualifier("userDetailsDBService")
    UserDetailsService userDetailsService;

    @Autowired
    private AppRoleRepository appRoleRepository;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
                //.inMemory()
                .jdbc(dataSource);
    }

....

score 2 · Answer 1 · answered Jul 23 '19 at 08:35

In Authorization server configuration, we tell which jdbc data-source to use, but where do we tell that these specific tables are to be used for all info?

When you do .jdbc(dataSource) Spring Security does the heavy lifting of creating an instance of JdbcClientDetailsService, in which where oauth_client_details table is used.

Is there any default config which comes with spring library?

Default is In Memory.

Can we customize the tables?

Yes by writing your own custom version of JdbcClientDetailsService which makes use of your customized tables and calling the clients.withClientDetails(customJdbcClientDetailsService) instead of your .jdbc(dataSource).

And, lastly, what are the uses of all these tables?

There are four main tables that you need to be aware of;

oauth_client_details - This table stores the Client Credentials (ClientId, ClientSecret) like Web Browser, Apple OS, Android OS, etc. These Clients are mostly devices not users. 
oauth_client_token - This table stores the Authentication token related to the client details from above table. Some resources which are not user specific which are accessible just with a Client Token.
oauth_access_token - This table stores the Access token related to the Granted User.
oauth_refresh_token - This table stores the Refresh token related to Access tokens in the above table.

Thanks a lot. Yes, now I found where these tables are getting used. One more question. For these to work, I have to create this schema before starting with oauth config. If this is anyway a default schema, is there any configuration, which will automatically generate these tables on application startup or something like that? to avoid this extra work of creating tables. — Marvolo, Jul 23 '19 at 09:27
@Mohit Joshi you could use something like Liquibase or Flyway — itpragmatik, Jul 25 '19 at 02:12

Spring-Security-Oauth2.0: Is there a default oauth db schema which comes along with the library? How can we customize it?

1 Answers1