Loading...
Home
  • Tech Blogs
  • Videos
  • Conferences
    • Droidcon News
    • Upcoming Conferences
    • Become a Partner
    • Past Events
    • Keep Me Informed
    • Diversity Scholarships
  • Community
    • droidcon Team
    • How to Hold a Droidcon
  • Android Careers
Sign In

Global CSS

 

How to create a REST API for your App with Spring Boot, Kotlin & Gradle (Part 2: Security with OAuth2)

 

 
Cristian Villaseca
Software Engineer at Turo
Published: July 14, 2020
Tweet
Share
 

 

OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.

It allows limited access to the user’s data and allows accessing when authorization tokens expire. It has ability to share data for users without having to release personal information. It is easier to implement and provides stronger authentication. Click here to learn more about OAuth2.

 

1. Add the Spring security OAuth2 dependency to our build.gradle.kts

implementation("org.springframework.security.oauth:spring-security-oauth2:2.4.1.RELEASE")

 

2. Add the security config files.

I’ll explain every class further in the next part, here I want to focus on why we will use some deprecated code to build our own Authorization Server since Spring no longer provides Authorization Server support. We can still use third party providers such as Google or Facebook but I think it is better to understand how an authorization server works. The Spring community is working on rewriting it, you can read more about it here.

 

 

3. Create a controller to test the public/private API calls.

I modified our HelloController.kt from the previous part. As you can see from the code below this controller now contains a getHelloWordMessage()which is a public GET API and a getHelloWordMessageWithName() which is a private GET API.

As you probably already know, public API require only a basic authorization while private API calls will only work if you also send a token that you normally get after you log in into the app. Let’s keep reading to check how to test it.

 

https://gist.github.com/cvillaseca/4817f338027b67631889e60efad728a7#file-hellocontroller-kt

 

4. Testing the API calls

I feel more comfortable using Postman to test the API so this is the exported config. But for the tutorial, I’m going to use curl . To build the Basic authorization, you only need to encode client + “:” + secret using base64. You can use this online encoder.

 

// Getting the authorization to access the API
curl --location --request POST 'http://localhost:8080/oauth/token' \
--header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
--header 'Cookie: JSESSIONID=6EB182996D193B89B2834D133394D0FC' \
--form 'grant_type=client_credentials'

 

After running this curl, you should receive the access token information:

 

{
    "access_token": "q82RiuIf4Dzq5NlkBmeZW3pOIls=",
    "token_type": "bearer",
    "expires_in": 43199,
    "scope": "user_info"
}

 

Now, using the access_token we have access to the public API call, but not to the private one.

 

// Public API accessible with this token
curl --location --request GET 'http://localhost:8080/public/helloWorld' \
--header 'Authorization: Bearer q82RiuIf4Dzq5NlkBmeZW3pOIls='// Private API not accessible with this token
curl --location --request GET 'http://localhost:8080/private/helloWorld/World' \
--header 'Authorization: Bearer q82RiuIf4Dzq5NlkBmeZW3pOIls='

 

Let’s authenticate to access the private API method.

 

curl --location --request POST 'http://localhost:8080/oauth/token' \
--header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
--form 'grant_type=password' \
--form 'username=user' \
--form 'password=1234'

 

We will get the access_token. Notice that now there is a refresh_token, which I’ll explain in further detail in the next part.

 

{
    "access_token": "A3ef1ZDkgIKovzLJAEtdizDFU+Q=",
    "token_type": "bearer",
    "refresh_token": "jvl6/IOscGWaGm6gJwIKrHPtODo=",
    "expires_in": 42338,
    "scope": "user_info"
}

 

Now, using this access_token, we have access to the private API method.

 

curl --location --request GET 'http://localhost:8080/private/helloWorld/World' \
--header 'Authorization: Bearer A3ef1ZDkgIKovzLJAEtdizDFU+Q='

Now that we have OAuth fully setup and working, the next step is to add an actual database. Head over to the next part to implement a H2 database to your newly Spring Boot project.

 

How to create a REST API for your App with Spring Boot, Kotlin & Gradle (Part 3: Adding a H2…

H2 is a relational database management system written in Java. It can be embedded in Java applications so it is perfect…

proandroiddev.com

 

This article is part of a series of tutorials:
- Part 1. First Controller
- Part 2. Securing with OAuth2
- Part 3. Adding a H2 database
- Part 4. Testing the API
- Part 5. Deploy on Heroku

The entire code for this part is available on Github:

 

cvillaseca/mobileAPI

REST API with Oauth2 using Springboot 2.2.X written in Kotlin - cvillaseca/mobileAPI

github.com

 

Remember to follow, share & hit the 👏 button if you liked it! :)

GitHub | LinkedIn | Twitter

 

Thanks to Mario Sanoguera de Lorenzo. 

 

 

Tags: Rest Api, Spring Boot, Kotlin, Gradle, Oauth2

 

View original article at: 


 

Originally published: June 18, 2020

Android News
Evolution of Android Update SystemEvolution of Android Update System
Evolution of Android Update SystemEvolution of Android Update System

By Ivan Kuten

So, how can you update Android on mobile devices? While developing software for Smart TVs and Android-based set-top boxes, we’ve narrowed it down to four ways, discarding some very exotic options:

By ProAndroidDev -
Android News
Happy Railway
Happy Railway

By Hadi Lashkari Ghouchani

This post is on the tail of Railway Oriented Programming in Kotlin by Antony Harfield. So you need to read it first and continue here. As it’s obvious I really liked it and tried it out. It needs every process have a result like

By ProAndroidDev -
Android News
Unit Tests and Concurrency
Unit Tests and Concurrency

By Stojan Anastasov

Once Retrofit added RxJava support, RxJava became my go-to concurrency framework for writing Android apps. One of the great things about RxJava is the excellent testing support. It includes TestObserver, TestScheduler, RxJavaPlugins so you can switch your schedulers in tests.

By ProAndroidDev -
Android News
When Compat libraries will not save you
When Compat libraries will not save you

By Danny Preussler

And why you should avoid using the “NewApi” suppression! The idea of “Compat” libraries was probably one of the key aspects of Android dominating the mobile space. Other than with iOS, Android users often could not update their operating system after a new version launch, simply as their phones won’t allow them to, the Android problem of fragmentation.

 

By ProAndroidDev -
droidcon News

Tech Showcases,

Developer Resources &

Partners

/portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/home-details/EmployerBrandingHeader
EmployerBrandingHeader
https://jobs.droidcon.com/
/portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/jobs-droidcon/jobs.droidcon.com
jobs.droidcon.com

Latest Android Jobs

http://www.kotlinweekly.net/
/portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/kotlin-weekly/Kotlin Weekly
Kotlin Weekly

Your weekly dose of Kotlin

https://proandroiddev.com/
/portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/pad/ProAndroidDev
ProAndroidDev

Android Tech Blogs, Case Studies and Step-by-Step Coding

/detail?content-id=/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Zalando/Zalando
/portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Zalando/Zalando
Zalando

Meet one of Berlin's top employers

/detail?content-id=/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Academy for App Success/Academy for App Success
/portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Academy for App Success/Academy for App Success
Academy for App Success

Google Play resources tailored for the global droidcon community

Follow us

Team droidcon

Get in touch with us

Write us an Email

 

 

Quicklinks

> Code of Conduct

> Terms and Conditions

> How to hold a conference

> FAQs

> Imprint

Droidcon is a registered trademark of Mobile Seasons GmbH Copyright © 2020. All rights reserved.

powered by Breakpoint One