OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.
It allows limited access to the user’s data and allows accessing when authorization tokens expire. It has ability to share data for users without having to release personal information. It is easier to implement and provides stronger authentication. Click here to learn more about OAuth2.
1. Add the Spring security OAuth2 dependency to our build.gradle.kts
implementation("org.springframework.security.oauth:spring-security-oauth2:2.4.1.RELEASE")
2. Add the security config files.
I’ll explain every class further in the next part, here I want to focus on why we will use some deprecated code to build our own Authorization Server since Spring no longer provides Authorization Server support. We can still use third party providers such as Google or Facebook but I think it is better to understand how an authorization server works. The Spring community is working on rewriting it, you can read more about it here.
3. Create a controller to test the public/private API calls.
I modified our HelloController.kt from the previous part. As you can see from the code below this controller now contains a getHelloWordMessage()which is a public GET API and a getHelloWordMessageWithName() which is a private GET API.
As you probably already know, public API require only a basic authorization while private API calls will only work if you also send a token that you normally get after you log in into the app. Let’s keep reading to check how to test it.
https://gist.github.com/cvillaseca/4817f338027b67631889e60efad728a7#file-hellocontroller-kt
4. Testing the API calls
I feel more comfortable using Postman to test the API so this is the exported config. But for the tutorial, I’m going to use curl . To build the Basic authorization, you only need to encode client + “:” + secret using base64. You can use this online encoder.
// Getting the authorization to access the API
curl --location --request POST 'http://localhost:8080/oauth/token' \
--header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
--header 'Cookie: JSESSIONID=6EB182996D193B89B2834D133394D0FC' \
--form 'grant_type=client_credentials'
After running this curl, you should receive the access token information:
{
"access_token": "q82RiuIf4Dzq5NlkBmeZW3pOIls=",
"token_type": "bearer",
"expires_in": 43199,
"scope": "user_info"
}
Now, using the access_token we have access to the public API call, but not to the private one.
// Public API accessible with this token
curl --location --request GET 'http://localhost:8080/public/helloWorld' \
--header 'Authorization: Bearer q82RiuIf4Dzq5NlkBmeZW3pOIls='// Private API not accessible with this token
curl --location --request GET 'http://localhost:8080/private/helloWorld/World' \
--header 'Authorization: Bearer q82RiuIf4Dzq5NlkBmeZW3pOIls='
Let’s authenticate to access the private API method.
curl --location --request POST 'http://localhost:8080/oauth/token' \
--header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
--form 'grant_type=password' \
--form 'username=user' \
--form 'password=1234'
We will get the access_token. Notice that now there is a refresh_token, which I’ll explain in further detail in the next part.
{
"access_token": "A3ef1ZDkgIKovzLJAEtdizDFU+Q=",
"token_type": "bearer",
"refresh_token": "jvl6/IOscGWaGm6gJwIKrHPtODo=",
"expires_in": 42338,
"scope": "user_info"
}
Now, using this access_token, we have access to the private API method.
curl --location --request GET 'http://localhost:8080/private/helloWorld/World' \
--header 'Authorization: Bearer A3ef1ZDkgIKovzLJAEtdizDFU+Q='
