Spring 5 Oauth2 - How to provide the check token URL in my Resource server?

Question

I need some help..

I set up an AuthorizationServer using @EnableAuthorizationServer from Spring-security-oauth2 for grant type "client_credentials". Able to create, check tokens and everything good with this.

/oauth/token
/oauth/checkToken

Followed this sample for Authorization server

I have a separate project that has the REST APIs to be secured. I can't use @EnableResourceServer because that project uses Spring 5.2.8 and the spring-security-oauth2 2.5 is causing conflicts (because it uses 4.x Spring jars and excluding them is causing more issues) while deploying over Weblogic, so I am using this sample.

Now in this sample how do I just provide a Checktoken url. This sample wants a JWT json type of file but I dont have it. I just want to keep it simple and use the checktoken url of the authorization server I created, similar to how @EnableResourceServer works.(like provided here except without @EnableResourceServer)

Where do I provide that? Any immediate help appreciated.

score 2 · Answer 1 · answered Sep 22 '20 at 15:44

Following your example for the ResourceServer, this works for me:

@EnableWebSecurity
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("${security.oauth2.resource.tokenInfoUri}") String tokenInfoUri;
    @Value("${security.oauth2.client.clientId}") String clientId;
    @Value("${security.oauth2.client.clientSecret}") String clientSecret;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .authorizeRequests((authorizeRequests) ->
                        authorizeRequests
                                .antMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read")
                                .antMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write")
                                .anyRequest().authenticated()
                )
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
        // @formatter:on
    }

    @Bean
    OpaqueTokenIntrospector opaqueTokenIntrospector() {
        return new NimbusOpaqueTokenIntrospector(tokenInfoUri,clientId,clientSecret);
    }
}

I used the following spring security dependencies:

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>5.3.4.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
            <version>5.3.4.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>com.nimbusds</groupId>
            <artifactId>oauth2-oidc-sdk</artifactId>
            <version>8.22</version>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-resource-server</artifactId>
            <version>5.3.4.RELEASE</version>
        </dependency>

Put your checkToken-Uri, client and clientSecret into your application.properties.

thank you @Jan Seidel but I dont want the client Id and secret to be provided in my resource server, the clients who is calling me already would have called with their client ID and secret to my authorization server (/oauth/token) and only call my rest api with a bearer token so I dont have access to their client Idand secret, I want a way to call the /oauth/checktoken with bearer token as param in resource sever. How can we do that? — ninja, Sep 24 '20 at 12:16
As I understand the OAuth2-Protocol, your resource server is a client for your authoriazation itself. It would have its own client id and secret. The client ids for requesting a token and checking the token do not have to match. That is the way I configured my OAuth2 environment. — jan_tm, Sep 25 '20 at 09:36
thank you @jan_tm but the problem is in my case the client first calls the authorization server using a /oauth/token post call gets the token and provides only the bearer token in the header to call my rest services. all my resource server has to do is make a call to authorization server and authenticate that bearer token. This is working very nicely with JWT token sample they had provided but I dont want JWT tokens. — ninja, Sep 26 '20 at 23:47

score 0 · Accepted Answer · answered Oct 04 '20 at 16:44

0

I ended up using the JWT sample Spring had provided, which gets the JWT public keys for verification on the resource server. Follow the auth and resource server provided in Spring source sample project.

Works good so far until we migrate to a better IDM solution

answered Oct 04 '20 at 16:44

ninja

43
8

Could you provide any source? – IHaveHandedInMyResignation Jun 09 '22 at 12:40

Spring 5 Oauth2 - How to provide the check token URL in my Resource server?

2 Answers2