Spring-boot oauth2 splitting authorization server and resource server
You have created 2 instances of InMemoryTokenStore
. If you want to share tokens between the auth server and resource server they need the same store.
thomasso
Young Adept, who's still learning to become one day a black belt programmer. Curently I'm working with Java and Spring/Hibernate stuff, but I also like to make some Android apps in my free time. What I have already done/worked with: - Java programms (Spring/Hibernate) - Geb Automation Testing (Groovy) - Performance tests with SoapUI - Android applications - JavaScript/AngularJs frontend application I also experimented with: - Python - C# - WPF, LINQ - Haskell, Prolog In the nearest future i will learn Scala
Updated on June 16, 2022Comments
-
thomasso almost 2 years
Im trying to split the resource server from the authorization server in spring-boot. I have two different applications that i'm running separately. In the authorization server i can get the bearer token from oauth/token but when i'm trying to get access to the resource(sending the token in header) i'm getting an invalid token error. My intention is to use the InMemoryTokenStore and the bearer token. Can anyone tell me what is wrong in my code?
Authorization Server:
@SpringBootApplication public class AuthorizationServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthorizationServer.class, args); } @Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { private TokenStore tokenStore = new InMemoryTokenStore(); @Autowired private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints .authenticationManager(authenticationManager) .tokenStore(tokenStore); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security.checkTokenAccess("hasAuthority('ROLE_USER')"); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients .inMemory() .withClient("user") .secret("password") .authorities("ROLE_USER") .authorizedGrantTypes("password") .scopes("read", "write") .accessTokenValiditySeconds(1800); } }
Resource Server:
@SpringBootApplication @RestController @EnableOAuth2Resource @EnableWebSecurity @Configuration public class ResourceServer extends WebSecurityConfigurerAdapter { public static void main(String[] args){ SpringApplication.run(ResourceServer.class, args); } @RequestMapping("/") public String home(){ return "Hello Resource World!"; } @Bean public ResourceServerTokenServices tokenService() { RemoteTokenServices tokenServices = new RemoteTokenServices(); tokenServices.setClientId("user"); tokenServices.setClientSecret("password"); tokenServices.setTokenName("tokenName"); tokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token"); return tokenServices; } @Override public AuthenticationManager authenticationManagerBean() throws Exception { OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager(); authenticationManager.setTokenServices(tokenService()); return authenticationManager; } @Configuration @EnableResourceServer protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/","/home") .and() .authorizeRequests() .anyRequest().access("#oauth2.hasScope('read')"); } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { TokenStore tokenStore = new InMemoryTokenStore(); resources.resourceId("Resource Server"); resources.tokenStore(tokenStore); } }
-
Suleman khan over 8 years@Dave Syer - So I don't need to create instance of InmemoryTokenStore in my resource server ?
-
Dave Syer over 8 yearsNo, that wouldn't help at all would it (all the tokens are stored elsewhere)?
-
JayC about 7 years@DaveSyer Is it possible to achieve this, but instead of splitting the 2 servers into 2 applications. Make it all into one application, and have the credentials in app.properties file?
-
Sergii about 4 years@DaveSyer, Is it correct way to configure
clientId/secret
for resource server to ask user info from oauth server by passing the token (no db store access required in this case)?