5

I have a spring boot application exposing several REST API endpoints. I want to enable google oauth authentication (authorization code grant) on it. I am trying to figure it out what is spring-security-recommended-way to exchange authorization code for access token, which I further want to access REST API resource server. And more importantly if it is handled automatically with some minimal configuration. I checked different sources which I summarized below:

  1. I checked this official tutorial, which asks to add spring-boot-starter-oauth2-client dependency and specifying client information in application.yml file. Then it says:

    The app uses the authorization code grant to obtain an access token from GitHub (the Authorization Server). It then uses the access token to ask GitHub for some personal details (only what you permitted it to do), including your login ID and your name. In this phase, GitHub is acting as a Resource Server, decoding the token that you send and checking if it gives the app permission to access the user’s details.

  2. I checked spring security samples github repository, but I did not find any example demonstrating this.

  3. In the docs, I found this section which talks about "customizing access token request with DefaultAuthorizationCodeTokenResponseClient" but I did not find any example of the same in the official docs. Also, after referring to this article, it seems that this is useful when OAuth2 APIs diverge from standards and is not useful to obtain access token to include in request to resource server's REST API.

  4. After referring to this blog post on spring.io, it seems that we need to manually obtain access token with

    accessToken = oauth2AuthorizedClient.getAccessToken().getTokenValue()

    and then explicitly add it to the every REST API resource server request:

    request.getHeaders().add("Authorization", "Bearer " + accessToken);

    But, with this approach, it seem that we have to write single proxy REST endpoint in the client corresponding to every REST endpoint in the resource server.

    (The proxy endpoint will do the work of fetching the access token and adding it to the request to corresponding resource server's endpoint.)

  5. I also went through this Udemy's course. In this, author uses WebClient to retrieve access token and add to every request to resource server's REST endpoint. But this also seem to require writing proxy REST endpoints in client for every resource server's REST endpoint. (The proxy endpoint will do the work of fetching the access token and adding it to the request to corresponding resource server's endpoint.)

After going through all these resources, I have following questions:

Q1. Does point 1 mean I dont have to manually / explicitly obtain access token and its automatically accessed and included in request to resource server, especially if I have my own REST API resource server?

Q2. Is my interpretation Q1 regarding point 1 incorrect? and I indeed have to manually fetch access token and add it to requests to resource server's REST endpoint as stated in point 4 and 5 above?

Q3. If answer to Q2 is YES, then do I really need to write proxy REST end point in client for every actual REST endpoint in resource server as stated in point 4 and 5 above?

Q4. Are there any related examples in official docs or spring security samples? (since I didnt find any as stated in point 2 and 3 above)

Mahesha999
  • 22,693
  • 29
  • 116
  • 189
  • `exchange authorization code for access token, which I further want to access REST API resource server` we have no idea what you architecture looks like. Who is the authorization server, privetely hosted? using github? github only allows single applications, you cant use them as fully fledged authorization server with multiple resource servers. Okta? keycloak? depending on architecture the configuration and solutions are different. read the oauth2 rfc, i strongly recommend it. – Toerktumlare Jul 31 '22 at 23:03
  • @Toerktumlare I have modified the question and added what I am trying to do in the first sentence. Please let me know if any more information is required. – Mahesha999 Jul 31 '22 at 23:18
  • Just as a comment, this question is highly to be answered as a bounty. – Jonathan JOhx Aug 01 '22 at 01:06
  • Question is asking multiple questions in the same post, and what is considered a lot of research or not is individual. Reading the official docs, some blog posts and a udemy course is to some ”a lot of research” to others not. No one is ever need to ”defend” their downvotes. https://meta.stackoverflow.com/questions/285081/am-i-still-supposed-to-explain-my-downvotes-or-not Just accept downvotes and move on. Good luck – Toerktumlare Aug 01 '22 at 06:25
  • Does this answer your question? [How to add the OAuth 2.0 bearer token to WebClient](https://stackoverflow.com/questions/65128485/how-to-add-the-oauth-2-0-bearer-token-to-webclient) – Eleftheria Stein-Kousathana Aug 18 '22 at 15:08

0 Answers0