In this project we present how to improve your SpringBoot app's security by using OAuth2 authentication. The full content you can find in our blog post HERE.
You can use gradle wrapper which is configured in the project.
./gradlew clean build
You can use your IDE or command-line.
Just run Oauth2BlogApplication as Java application.
You can use gradle for it.
./gradlew clean bootRun
There are two:
To use this profile you need to set the following env vars:
You need any HTTP client. The following uses HTTPie.
First, request an authentication token. There are two users available.
Admin user:
http -a my-client:my-secret --form POST http://localhost:8080/oauth/token username='[email protected]' password='admin123' grant_type='password'
curl -u my-client:my-secret -X POST http://localhost:8080/oauth/token -d "[email protected]&password=admin123&grant_type=password"
Regular user:
http -a my-client:my-secret --form POST http://localhost:8080/oauth/token username='[email protected]' password='user123' grant_type='password'
curl -u my-client:my-secret -X POST http://localhost:8080/oauth/token -d "[email protected]&password=user123&grant_type=password"
You should receive an authentication token in a response. The example below.
{
"access_token": "1bbea46b-93fe-4efa-b25a-eb6d5fac60c0",
"refresh_token": "9d0e195c-3077-458a-8906-75f2596a48db",
"scope": "read write trust",
"token_type": "bearer"
}
Now, use the access_token to access the REST API.
http http://localhost:8080/api/hello name=='Seb' access_token=='1bbea46b-93fe-4efa-b25a-eb6d5fac60c0'
curl -H "Authorization: Bearer 3042da58-918a-4dd8-9c65-e99d81eebf89" http://localhost:8080/api/hello?name=Seb
You should see HTTP/1.1 200
in a response.
You can also list all of the active authentication tokens. It's available only for the admin user.
http http://localhost:8080/admin/token/list access_token=='1bbea46b-93fe-4efa-b25a-eb6d5fac60c0'
curl -H "Authorization: Bearer f94af558-28ba-4fc5-8b64-1f93ffc61225" http://localhost:8080/admin/token/list
You should receive a list in a response.
You can also revoke the authentication token using the following endpoint.
http DELETE http://localhost:8080/oauth/revoke access_token=='1bbea46b-93fe-4efa-b25a-eb6d5fac60c0'
curl -X DELETE -H "Authorization: Bearer f94af558-28ba-4fc5-8b64-1f93ffc61225" http://localhost:8080/oauth/revoke
You should see HTTP/1.1 200
in a response.
This token will be removed and you won't be able to access the application using it.
In the blog post you may see that the application is being built incrementally. The following describes the tags corresponding to the each step of development.
empty-with-dependencies
in-memory-with-user-details-service
jdbc-token-store-and-liquibase
in-database-with-authentication-provider
roles-and-admin-panel
authentication-token-revocation
rds-and-aws-secrets-manager-sdk
rds-password-rotation