Spring-boot oauth2 splitting authorization server and resource server

java oauth-2.0 spring-boot spring-security-oauth2

10,063

You have created 2 instances of InMemoryTokenStore. If you want to share tokens between the auth server and resource server they need the same store.

10,063

Author by

thomasso

Young Adept, who's still learning to become one day a black belt programmer. Curently I'm working with Java and Spring/Hibernate stuff, but I also like to make some Android apps in my free time. What I have already done/worked with: - Java programms (Spring/Hibernate) - Geb Automation Testing (Groovy) - Performance tests with SoapUI - Android applications - JavaScript/AngularJs frontend application I also experimented with: - Python - C# - WPF, LINQ - Haskell, Prolog In the nearest future i will learn Scala

Updated on June 16, 2022

Comments

thomasso almost 2 years

Im trying to split the resource server from the authorization server in spring-boot. I have two different applications that i'm running separately. In the authorization server i can get the bearer token from oauth/token but when i'm trying to get access to the resource(sending the token in header) i'm getting an invalid token error. My intention is to use the InMemoryTokenStore and the bearer token. Can anyone tell me what is wrong in my code?

Authorization Server:

@SpringBootApplication
public class AuthorizationServer extends WebMvcConfigurerAdapter {

  public static void main(String[] args) {
    SpringApplication.run(AuthorizationServer.class, args);
  }

  @Configuration
  @EnableAuthorizationServer
  protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

  private TokenStore tokenStore = new InMemoryTokenStore();

  @Autowired
  private AuthenticationManager authenticationManager;

  @Override
  public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
      endpoints
        .authenticationManager(authenticationManager)
        .tokenStore(tokenStore);
  }

  @Override
  public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
      security.checkTokenAccess("hasAuthority('ROLE_USER')");
  }

  @Override
  public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
      clients
          .inMemory()
            .withClient("user")
            .secret("password")
            .authorities("ROLE_USER")
            .authorizedGrantTypes("password")
            .scopes("read", "write")
            .accessTokenValiditySeconds(1800);
  }  
}

Resource Server:

@SpringBootApplication 
@RestController
@EnableOAuth2Resource
@EnableWebSecurity
@Configuration
public class ResourceServer extends WebSecurityConfigurerAdapter {



public static void main(String[] args){
     SpringApplication.run(ResourceServer.class, args);
}

@RequestMapping("/")
public String home(){
    return "Hello Resource World!";
}

@Bean
public ResourceServerTokenServices tokenService() {
    RemoteTokenServices tokenServices = new RemoteTokenServices();
    tokenServices.setClientId("user");
    tokenServices.setClientSecret("password");
    tokenServices.setTokenName("tokenName");
    tokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
    return tokenServices;
}

@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
    authenticationManager.setTokenServices(tokenService());
    return authenticationManager;
}

@Configuration
@EnableResourceServer
protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .requestMatchers()
            .antMatchers("/","/home")
            .and()
            .authorizeRequests()
            .anyRequest().access("#oauth2.hasScope('read')");
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        TokenStore tokenStore = new InMemoryTokenStore();
        resources.resourceId("Resource Server");
        resources.tokenStore(tokenStore);
    }
}

Suleman khan over 8 years

@Dave Syer - So I don't need to create instance of InmemoryTokenStore in my resource server ?
Dave Syer over 8 years

No, that wouldn't help at all would it (all the tokens are stored elsewhere)?
JayC about 7 years

@DaveSyer Is it possible to achieve this, but instead of splitting the 2 servers into 2 applications. Make it all into one application, and have the credentials in app.properties file?
Sergii about 4 years

@DaveSyer, Is it correct way to configure clientId/secret for resource server to ask user info from oauth server by passing the token (no db store access required in this case)?