OAuth 2.0 Overview and Spring Boot Implementation Guide
This article introduces the core concepts and roles of OAuth 2.0, explains its four grant types, and provides a step‑by‑step Spring Boot implementation with complete configuration classes, dependency setup, and testing procedures for both authorization and resource servers.
1. OAuth2.0 Overview
OAuth 2.0 (Open Authorization) is an open standard that allows third‑party applications to access protected resources on behalf of a user without sharing the user’s credentials. It is widely used for secure delegation in authentication and authorization scenarios.
Roles
Resource Owner: The user who owns the protected resources.
Client: The third‑party application requesting access.
Authorization Server: Validates the resource owner and issues access tokens.
Resource Server: Hosts the protected resources and validates tokens.
Grant Types
Authorization Code: Commonly used for third‑party login.
Implicit (Simplified): No client server involvement; suitable for static sites.
Password: User credentials are directly sent to the client; requires high trust.
Client Credentials: Client obtains tokens on its own behalf.
2. Code Setup
2.1 Authorization Server (port 8080)
Import dependencies:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
<version>2.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
<version>2.2.5.RELEASE</version>
</dependency>
</dependencies>Add two configuration classes:
@Configuration
@EnableAuthorizationServer
public class MyAuthorizationConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("permitAll()")
.checkTokenAccess("permitAll()")
.allowFormAuthenticationForClients();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("test")
.secret(new BCryptPasswordEncoder().encode("123456"))
.resourceIds("order")
.authorizedGrantTypes("authorization_code","password","client_credentials","implicit","refresh_token")
.scopes("all")
.autoApprove(false)
.redirectUris("http://www.baidu.com");
}
@Bean
public TokenStore tokenStore() { return new InMemoryTokenStore(); }
@Bean
public AuthorizationServerTokenServices tokenServices() {
DefaultTokenServices services = new DefaultTokenServices();
services.setClientDetailsService(clientDetailsService);
services.setSupportRefreshToken(true);
services.setTokenStore(tokenStore());
services.setAccessTokenValiditySeconds(60*60*2);
services.setRefreshTokenValiditySeconds(60*60*24*3);
return services;
}
@Bean
public AuthorizationCodeServices authorizationCodeServices() { return new InMemoryAuthorizationCodeServices(); }
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authorizationCodeServices(authorizationCodeServices())
.authenticationManager(authenticationManager)
.tokenServices(tokenServices())
.allowedTokenEndpointRequestMethods(HttpMethod.POST);
}
}@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and().formLogin().loginProcessingUrl("/login").permitAll()
.and().csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password(new BCryptPasswordEncoder().encode("123456")).roles("admin");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }
}2.2 Resource Server (port 8081)
Add a configuration class:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Bean
public RemoteTokenServices tokenServices() {
RemoteTokenServices services = new RemoteTokenServices();
services.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
services.setClientId("test");
services.setClientSecret("123456");
return services;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId("order").tokenServices(tokenServices());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").access("#oauth2.hasScope('all')").anyRequest().authenticated();
}
}Test controller:
@RestController
public class TestController {
@GetMapping("/test")
public String hello() { return "hello world"; }
}3. Test Results
Authorize URL:
http://localhost:8080/oauth/authorize?client_id=test&response_type=code&scope=all&redirect_uri=http://www.baidu.comLogin with admin / 123456 to obtain the authorization code, then exchange it for an access token. The following screenshots show requests with and without the token, demonstrating successful protection of the resource endpoint.
Top Architect
Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.