Morioh
Login
Were Joyce

Were Joyce

2 years ago

Spring Security 5 deprecated the original Spring Security OAuth module and rewrote the OAuth2/Oidc implementation, make it available as part of the core modules.

OAuth protocol defines 4 roles, including Resource OwnerClientAuthorization server and Resource server. Imagine you are using an app in your mobile, you(Resource owner) authorizes the app(presents a Client role itself) to perform an authorization flow to get access token from the authorization server, then utilizes this token to interact with the protected resources(from Resource server).

Oidc is an additional supplement to enrich OAuth2 protocol. In Spring Security 5, it does not differentiate them explicitly in the API level and configuration. And nowadays most OAuth2 compatible provider supports the Oidc protocol.

If you are new to OAuth2 and OIDC, please check the official OAuth 2 docs and explore OpenId Connect related specs. For impatient users, this introductory article from DigitalOcean is a good start point.

With Spring Security 5, it is easy to set up OAuth2 Client and Resource server roles in your applications. And there is another incubator project which allow you to serve a custom Authorization server. In a real world application, I think it is a smart choice that choosing a mature IDP service to simplify the integration work of multiple authentication services and advanced features, for example, you want to integrate Google accounts, Facebook, Twitter and custom username/password authentication, and enable two-phases authentication in your applications. Auth0 and Okta are the leading IDP services in this area, they provide excellent administrative UI and rich SDK of all use case in your applications. In the open source world, Keycloak is widely used to host a custom authentication server.

From the official Okta blog, Auth0 has joined the Okta family. I am a little afraid Auth0 will be disappeared like Stormpath. But the Okta guys declared that Auth0 will operate as a standalone brand.

In this post, we will use Auth0 as the authentication server role to simplify our development progress.

To demonstrate the OAuth2 flow, firstly we will create a RESTful API application that acts as Resource server. In the further post, we will create an Angular SPA client app to interact with this API backend.

There are plenty of tutorials provided on the official auth0 docs page. Usually you can find the use cases matched your applications in these docs, go to the Backend API doc to go through the tutorial, esp. there is a great tutorial for Spring Security 5.

Firstly register an Auth0 account if you don’t have one before. Or login using a social network account directly. After logged in, you will find Auth0 has created a development-purpose domain for you, it categories all resources for your new application.

In the dashboard UI, expand the Applications/APIs in the left pane, let’s create a new API application(Resource server role in the OAuth2 protocol).

  • Click the Create API button to start the progress.
  • Fill the essential fields, the audience field is used to identify this API, it is recommended to fill a URL like value. For example. Here I created a new API application named Backend API, and set the audience to https://hantsy.github.io/api.

Auth0 also provides an Auth0 Management API for you to access the Auth0 APIs, and for test purpose, Auth0 also created a Machine to Machine application automatically which allow you to interact with your own APIs.

Next let’s create our Backend API application. Go to https://start.spring.io, fill the required fields, and select Maven as build tools and Java as language, then add the following dependencies,

  • Web Starter
  • Validation
  • Data JPA
  • Spring Security
  • Lombok

#spring #auth0 #oidc #oauth2 #spring-security

Secures REST APIs with Spring Security 5 and Auth0

itnext.io

Secures REST APIs with Spring Security 5 and Auth0

In this tutorial, we'll learn Secures REST APIs with Spring Security 5 and Auth0. Let's explore it with us now.

1.20 GEEK