Real Time examples for Oauth2 Grant Types and Good document, example for Oauth2 with Spring MVC

spring spring-mvc spring-security oauth-2.0 spring-security-oauth2
20,506

Solution 1

In terms of understanding the flows and the differences between them, this presentation is the best resource I found online. After this, if you read the OAuth2 spec description, it'll be much easier to follow.

Unfortunately, in terms of code samples, there isn't good Spring Security OAuth2 sample code out there (the Sparklr and Tonr examples are okay but not super clear). Best resource there is to look at unit tests in Spring Security OAuth2 code on github.

One question I want to ask is - are you looking to create your own OAuth2 Provider or do you just want to connect to Facebook, Google, etc as OAuth2 client. If it's the second part, I would suggest skipping Spring Security OAuth2 and instead look at Spring Social project.

Edit: For creating an OAuth2 Provider, check out this code by Dave Syer (he is the lead of Spring Security OAuth project) . It shows how you can create an OAuth2 Provider and Resource Server in 20 lines of code. This is the easiest way to create Spring Security OAuth code. https://github.com/dsyer/sparklr-boot

It uses Spring Boot and Spring Security OAuth projects. Of course, you'll have to understand Spring Security, JavaConfig configuration and the OAuth2 protocol properly to understand how all of this works.

Solution 2

Authorization Code is redirection based flow, in most application when we login via Facebook or google we use this grant type.

Implicit is used mostly in mobile or single page application, Client confidentiality is not guaranteed here. This also has a redirect flow similar to Authorization Code. This does not support refresh token.

Password Grant Type is used when client application and resource owner belong to same application, this is goin to be case when your application is end to end working. Here we are sharing username and password. unlike the above two where we authenticate via Facebook or google.

Client Credentials: its a way to access it own service. like one microservice to access another microservice.

Solution 3

I also got into OAuth2 using spring last month.

I've read most of the OAuth2 spec and used the samples from the spring-security source, which are wonderful. That way I got a running application which I could use to play with and view it's sources next the the specs.

Share:
20,506
Pravinkumar
Author by

Pravinkumar

I've been working as Java, Java-ee full stack developer, have a good experience in java, java-ee based web and UI implementation. I have good experience in REST service implementation. I have good knowledge and exposure on Hadoop Eco-systems like Hive, PIG, Oozie, Impala, Sqoop and Avro etc.

Updated on February 21, 2020

Comments

  • Pravinkumar
    Pravinkumar about 4 years

    I've read about Oauth2 few days before, it has entities like Client, Resource Owner, Resource Server, Authorization Server and i understood the explanations too. but i don't understand the grant type's completely still i got confusion on following types. Oauth2 has 4 different grant types like,

    1. Authorization code
    2. Implict
    3. Resource Owner Password Credentials
    4. Client Credentials

    please, give me some real time examples for the above types to differentiate the implementation. I need to know that what are the types of grant implementation spring security oauth2 has and full flow for spring oauth2 with security.

    I have gone through some example implemented with oauth2 with spring mvc, spring security. but it's confusing me i don't get clear picture of the api implementation.

    I'm looking for good Oauth2 flow and document with Spring mvc and Spring security. please help me.

  • Pravinkumar
    Pravinkumar over 9 years
    I want to create a Oauth2 Provider for my spring mvc.
  • VDev
    VDev almost 8 years
    The examples in the slide are completely wrong ugh.. the author of the presentation confuses terminologies for example client with authorization server and resource owner) The resource owner never gives out access tokens.
  • Jigish
    Jigish almost 8 years
    @VDev do you've a slide number that you're referring to? I looked over and all slides look correct to me.
  • VDev
    VDev almost 8 years
    @Jigish take a look at slides 29 to 37, with 37 consolidating the entire flow. The resource owner never ever grants the auth code, it is the Authorization Server. For example If I (the resource owner) want to sign into Stackoverflow (the client) using my google account (the auth server). I (the resource owner) grant stack oveflow (the client) access to my google account (resource server if hosted separately) via google's auth server. I am not sitting and generating auth codes. It is the authorization server.
  • VDev
    VDev almost 8 years
    @Jigish have a look at the OAuth spec instead, which very succinctly explains the entire flow with the proper terminology: tools.ietf.org/html/rfc6749#section-1.3.1
  • Jigish
    Jigish almost 8 years
    @VDev For someone looking to understand the OAuth2 spec and different flows for the very first time, the slides are a better introduction. Like I mentioned, read the spec after looking at those slides. It's much easier to comprehend the flow visually. Personally, I don't believe the slides have any mistakes. That said, to each his own.
  • Erce Tilav
    Erce Tilav about 5 years
    @Jigish you may have a look at that project, It has running examples for differen cases for spring boot. github.com/PacktPublishing/OAuth-2.0-Cookbook

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring OAuth2 - Can't get client token
OAUTH2 spring Error creating bean with name 'springSecurityFilterChain'
Spring Boot OAuth2 - Could not obtain user details from token
Spring OAuth (OAuth2): How can I get the client credentials in a Spring MVC controller?
AuthorizationServerConfigurerAdapter is deprecated
Spring Security OAuth2 always redirects to /login page having a valid Bearer header
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
Cannot get rid of "An Authentication object was not found in the SecurityContext" in a Spring Boot application without @WithMockUser
Extract Currently Logged in User information from JWT token using Spring Security
How do you set a resource ID for a token?