OAuth2 is a widely used authorization framework that is supported by Spring.
to make it easy to set up an OAuth2/Open ID Connect clients. This configuration
makes use of the properties under OAuth2ClientProperties. The same properties are applicable to
both servlet and reactive applications.
You can register multiple OAuth2 clients and providers under the spring.security.oauth2.client
prefix, as shown in the following example:
spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user
scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri=https://myredirect-
uri.com
spring.security.oauth2.client.registration.my-client-1.client-authenticationmethod=
basic
spring.security.oauth2.client.registration.my-client-1.authorization-granttype=
authorization_code
spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email
scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri=https://myredirect-
uri.com
spring.security.oauth2.client.registration.my-client-2.client-authenticationmethod=
basic
spring.security.oauth2.client.registration.my-client-2.authorization-granttype=
authorization_code
spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=https://myauth-
server/oauth/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=https://my-authserver/
oauth/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=https://myauth-
server/userinfo
spring.security.oauth2.client.provider.my-oauth-provider.user-info-authenticationmethod=
header
spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=https://my-authserver/
token_keys
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name
For OpenID Connect providers that support OpenID Connect discovery, the configuration can be
further simplified. The provider needs to be configured with an issuer-uri which is the URI that the
it asserts as its Issuer Identifier. For example, if the issuer-uri provided is "https://example.com",
then an OpenID Provider Configuration Request will be made to "https://example.com/.wellknown/
openid-configuration". The result is expected to be an OpenID Provider Configuration
Response. The following example shows how an OpenID Connect Provider can be configured with
the issuer-uri:
spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-
123456.oktapreview.com/oauth2/default/
By default, Spring Security’s OAuth2LoginAuthenticationFilter only processes URLs matching
/login/oauth2/code/*. If you want to customize the redirect-uri to use a different pattern, you need
to provide configuration to process that custom pattern. For example, for servlet applications, you
can add your own WebSecurityConfigurerAdapter that resembles the following:
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.redirectionEndpoint()
.baseUri("/custom-callback");
}
}
provide a set of provider defaults (google, github, facebook, and okta, respectively).
If you do not need to customize these providers, you can set the provider attribute to the one for
which you need to infer defaults. Also, if the key for the client registration matches a default
supported provider, Spring Boot infers that as well.
In other words, the two configurations in the following example use the Google provider:
spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google
spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=password
OAuth2 Resource Server. For JWT configuration, a JWK Set URI or OIDC Issuer URI needs to be
specified, as shown in the following examples:
spring.security.oauth2.resourceserver.jwt.jwk-seturi=https://example.com/oauth2/default/v1/keys
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-
123456.oktapreview.com/oauth2/default/
If the authorization server does not support a JWK Set URI, you can configure the
resource server with the Public Key used for verifying the signature of the JWT.
This can be done using the
configprop:spring.security.oauth2.resourceserver.jwt.public-key-location[]
property, where the value needs to point to a file containing the public key in the
PEM-encoded x509 format.
The same properties are applicable for both servlet and reactive applications.
Alternatively, you can define your own JwtDecoder bean for servlet applications or a
ReactiveJwtDecoder for reactive applications.
In cases where opaque tokens are used instead of JWTs, you can configure the following properties
to validate tokens via introspection:
spring.security.oauth2.resourceserver.opaquetoken.introspectionuri=
https://example.com/check-token
spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id
spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secret
Again, the same properties are applicable for both servlet and reactive applications.
Alternatively, you can define your own OpaqueTokenIntrospector bean for servlet applications or a
ReactiveOpaqueTokenIntrospector for reactive applications.
Server. However, this functionality is available from the Spring Security OAuth project, which will
eventually be superseded by Spring Security completely. Until then, you can use the springsecurity-
oauth2-autoconfigure module to easily set up an OAuth 2.0 authorization server; see its
documentation for instructions.
Client
If you have spring-security-oauth2-client on your classpath, you can take advantage of some autoconfigurationto make it easy to set up an OAuth2/Open ID Connect clients. This configuration
makes use of the properties under OAuth2ClientProperties. The same properties are applicable to
both servlet and reactive applications.
You can register multiple OAuth2 clients and providers under the spring.security.oauth2.client
prefix, as shown in the following example:
spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user
scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri=https://myredirect-
uri.com
spring.security.oauth2.client.registration.my-client-1.client-authenticationmethod=
basic
spring.security.oauth2.client.registration.my-client-1.authorization-granttype=
authorization_code
spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email
scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri=https://myredirect-
uri.com
spring.security.oauth2.client.registration.my-client-2.client-authenticationmethod=
basic
spring.security.oauth2.client.registration.my-client-2.authorization-granttype=
authorization_code
spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=https://myauth-
server/oauth/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=https://my-authserver/
oauth/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=https://myauth-
server/userinfo
spring.security.oauth2.client.provider.my-oauth-provider.user-info-authenticationmethod=
header
spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=https://my-authserver/
token_keys
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name
For OpenID Connect providers that support OpenID Connect discovery, the configuration can be
further simplified. The provider needs to be configured with an issuer-uri which is the URI that the
it asserts as its Issuer Identifier. For example, if the issuer-uri provided is "https://example.com",
then an OpenID Provider Configuration Request will be made to "https://example.com/.wellknown/
openid-configuration". The result is expected to be an OpenID Provider Configuration
Response. The following example shows how an OpenID Connect Provider can be configured with
the issuer-uri:
spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-
123456.oktapreview.com/oauth2/default/
By default, Spring Security’s OAuth2LoginAuthenticationFilter only processes URLs matching
/login/oauth2/code/*. If you want to customize the redirect-uri to use a different pattern, you need
to provide configuration to process that custom pattern. For example, for servlet applications, you
can add your own WebSecurityConfigurerAdapter that resembles the following:
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.redirectionEndpoint()
.baseUri("/custom-callback");
}
}
OAuth2 client registration for common providers
For common OAuth2 and OpenID providers, including Google, Github, Facebook, and Okta, weprovide a set of provider defaults (google, github, facebook, and okta, respectively).
If you do not need to customize these providers, you can set the provider attribute to the one for
which you need to infer defaults. Also, if the key for the client registration matches a default
supported provider, Spring Boot infers that as well.
In other words, the two configurations in the following example use the Google provider:
spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google
spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=password
Resource Server
If you have spring-security-oauth2-resource-server on your classpath, Spring Boot can set up anOAuth2 Resource Server. For JWT configuration, a JWK Set URI or OIDC Issuer URI needs to be
specified, as shown in the following examples:
spring.security.oauth2.resourceserver.jwt.jwk-seturi=https://example.com/oauth2/default/v1/keys
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-
123456.oktapreview.com/oauth2/default/
If the authorization server does not support a JWK Set URI, you can configure the
resource server with the Public Key used for verifying the signature of the JWT.
This can be done using the
configprop:spring.security.oauth2.resourceserver.jwt.public-key-location[]
property, where the value needs to point to a file containing the public key in the
PEM-encoded x509 format.
The same properties are applicable for both servlet and reactive applications.
Alternatively, you can define your own JwtDecoder bean for servlet applications or a
ReactiveJwtDecoder for reactive applications.
In cases where opaque tokens are used instead of JWTs, you can configure the following properties
to validate tokens via introspection:
spring.security.oauth2.resourceserver.opaquetoken.introspectionuri=
https://example.com/check-token
spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id
spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secret
Again, the same properties are applicable for both servlet and reactive applications.
Alternatively, you can define your own OpaqueTokenIntrospector bean for servlet applications or a
ReactiveOpaqueTokenIntrospector for reactive applications.
Authorization Server
Currently, Spring Security does not provide support for implementing an OAuth 2.0 AuthorizationServer. However, this functionality is available from the Spring Security OAuth project, which will
eventually be superseded by Spring Security completely. Until then, you can use the springsecurity-
oauth2-autoconfigure module to easily set up an OAuth 2.0 authorization server; see its
documentation for instructions.
No comments:
Post a Comment