-1

I have a server server1 that exposes an API which returns a list of purchased items. This API is protected by OAuth2. A user needs to be authenticated and have the role 'ROLE_SUPERVISOR' to access this API.

I want to be able to call this API from another server server2. This server calls the API of server1 without any user interaction (for backup purposes, amongst other things).

What would be the best way to authenticate server2 when calling the server1 API ?

I could create a specific technical user which has the role 'ROLE_SUPERVISOR', but I read that the client credential grant type might suit this case better (server to server authentication). I would then only have to create a new client application and register it in the authorization server. However, how do I add the role 'ROLE_SUPERVISOR' to a client application ?

Thanks.

brianny
  • 1
  • Hi, brianny. I'm not sure that I follow. Typically, it's the token that holds onto the authorities, not the client itself. If by "client" you mean the act of server2 calling server1, then you can simply pass the token along that you received by performing the client credentials grant flow. – jzheaux Jul 08 '20 at 21:41
  • By 'client' I just meant 'server2', in my case. So by performing the client credentials grant flow, I get the token, and I can authenticate to 'server1'. Now I'm wondering what's the setup to make sure that 'server2' has the 'ROLE_SUPERVISOR'. – brianny Jul 09 '20 at 08:41
  • Reading some of the clarifications in the comments, are you saying that you are using spring-security-oauth2's Authorization Server, and you'd like to add a client to that authorization server (say with ClientDetailsService) that has an authority of ROLE_SUPERVISOR? – jzheaux Jul 09 '20 at 16:30
  • yes, that's right. Sorry for not expressing that clearly. Server2 (the client) is a application that delegates its authentication to server1 (the authorization server). Users connect to server2 and are redirected to server1 for authentication. Server1 however also exposes an admin API that is only accessible by people that have the ROLE_SUPERVISOR authority. Most of the time this API is accessed by endusers, but on this specific occasion, I need server2 to do it in a background job. So I need server2 to have the 'ROLE_SUPERVISOR' in order to access this API. – brianny Jul 15 '20 at 08:58

1 Answers1

-1

I think that there are some terms being using the comments and in the question that are confusing the issue a bit.

So I need server2 to have the 'ROLE_SUPERVISOR' in order to access this API.

With OAuth 2.0, servers aren't the things with roles. A token has claims and those claims can be interpreted by an application. As mentioned in the question, you can obtain a token in a number of ways, one of them being the client credentials grant.

However, how do I add the role 'ROLE_SUPERVISOR' to a client application

It's also not entirely correct to say that clients have roles.

I believe the OP wants server2 to pass an OAuth 2.0 token to server1, and that the given token should have the appropriate claims in it such that server1 will grant the corresponding request with a ROLE_SUPERVISOR granted authority.

To get such a token with the client credentials grant, you'll need to configure a client in the authorization server:

@Override
protected void configure(ClientDetailsServiceConfigurer clients) {
    clients.inMemory()
        .withClient("id")
        .authorizedGrantType("client_credentials")
        .authorities("ROLE_SUPERVISOR")
        .secret("{noop}secret")
}

Then, server2 can use the client id and secret configured to obtain a token. As already stated, Spring Security ships with filters for negotiating with authorization servers and adding the appropriate Authorization header to the call to server1.

jzheaux
  • 7,042
  • 3
  • 22
  • 36