In this project we present how to improve your SpringBoot app's security by using OAuth2 authentication. The full content you can find in our blog post HERE.
You can use gradle wrapper which is configured in the project.
./gradlew clean build
You can use your IDE or command-line.
Just run Oauth2BlogApplication as Java application.
You can use gradle for it.
./gradlew clean bootRun
There are two:
- default - for local development, uses H2 in memory database, enabled by default
- prod - uses AWS RDS and PostgreSQL database, also credentials are stored in AWS Secrets Manager
To use this profile you need to set the following env vars:
- AWS_DEFAULT_REGION
- AWS_REGION
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
You need any HTTP client. The following uses HTTPie.
First, request an authentication token. There are two users available.
Admin user:
http -a my-client:my-secret --form POST http://localhost:8080/oauth/token username='[email protected]' password='admin123' grant_type='password'
curl -u my-client:my-secret -X POST http://localhost:8080/oauth/token -d "[email protected]&password=admin123&grant_type=password"
Regular user:
http -a my-client:my-secret --form POST http://localhost:8080/oauth/token username='[email protected]' password='user123' grant_type='password'
curl -u my-client:my-secret -X POST http://localhost:8080/oauth/token -d "[email protected]&password=user123&grant_type=password"
You should receive an authentication token in a response. The example below.
{
"access_token": "1bbea46b-93fe-4efa-b25a-eb6d5fac60c0",
"refresh_token": "9d0e195c-3077-458a-8906-75f2596a48db",
"scope": "read write trust",
"token_type": "bearer"
}
Now, use the access_token to access the REST API.
http http://localhost:8080/api/hello name=='Seb' access_token=='1bbea46b-93fe-4efa-b25a-eb6d5fac60c0'
curl -H "Authorization: Bearer 3042da58-918a-4dd8-9c65-e99d81eebf89" http://localhost:8080/api/hello?name=Seb
You should see HTTP/1.1 200
in a response.
You can also list all of the active authentication tokens. It's available only for the admin user.
http http://localhost:8080/admin/token/list access_token=='1bbea46b-93fe-4efa-b25a-eb6d5fac60c0'
curl -H "Authorization: Bearer f94af558-28ba-4fc5-8b64-1f93ffc61225" http://localhost:8080/admin/token/list
You should receive a list in a response.
You can also revoke the authentication token using the following endpoint.
http DELETE http://localhost:8080/oauth/revoke access_token=='1bbea46b-93fe-4efa-b25a-eb6d5fac60c0'
curl -X DELETE -H "Authorization: Bearer f94af558-28ba-4fc5-8b64-1f93ffc61225" http://localhost:8080/oauth/revoke
You should see HTTP/1.1 200
in a response.
This token will be removed and you won't be able to access the application using it.
In the blog post you may see that the application is being built incrementally. The following describes the tags corresponding to the each step of development.
- empty-with-dependencies
- no authentication
- all the project dependencies added
- test endpoint exposed
- in-memory-with-user-details-service
- OAuth2 authentication configured
- using in-memory store for clients and tokens
- using DelegatingPasswordEncoder
- added three different ways of testing the app with spring tools
- jdbc-token-store-and-liquibase
- using jdbc store for tokens
- using embedded H2 database
- using liquibase to manage database
- in-database-with-authentication-provider
- using authentication provider instead of user details service
- injecting user name from the security context
- roles-and-admin-panel
- storing users in the database
- configuring authorization
- adding administration panel
- authentication-token-revocation
- revoking OAuth2 authentication token
- simplifying administration panel
- using UserDetailsService
- rds-and-aws-secrets-manager-sdk
- introducing dev and prod profiles
- dev profile uses H2 in memory database (default)
- prod profile uses PostgreSQL AWS RDS database
- database credentials are stored and retrieved from AWS Secrets Manager
- rds-password-rotation
- enabling password rotation in AWS Secrets Manager
- changes to support the rotation