I am studying Spring Security and in particular I have reached OAuth 2.0. I have a complete misunderstanding and confusion about how to configure and use it in general – I mean the packages spring-security-oauth2-resource-server, spring-security-oauth2-authorization-server and spring-security-oauth2-client.
It will be very verbose to try to give specific examples of what I don’t understand, so I’ll just formulate four questions:
- What is the difference between the listed modules and when to use which one?
- Let’s say there is a task: you need to write a server where registration and authorization will be possible, and then issue your own JWT token with which you can use the REST API through the Authorization header and, in essence, it is solved plus or minus in the simplest way (the controller methods themselves, creating a JWT and signing it using RSA keys it is omitted here, because too much unnecessary code will come out):
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, Converter<Jwt, UsernamePasswordAuthenticationToken> converter) throws Exception {
http
.authorizeHttpRequests(authorize ->
authorize
.requestMatchers(
"/api/" + apiVersion + "/auth/register",
"/api/" + apiVersion + "/auth/login"
)
.permitAll()
.anyRequest()
.authenticated()
)
.csrf(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.httpBasic(AbstractHttpConfigurer::disable)
.oauth2ResourceServer(configurer ->
configurer.
jwt((jwt) -> jwt.jwtAuthenticationConverter(converter))
)
.sessionManagement(configurer ->
configurer
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.exceptionHandling(configurer ->
configurer
.authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
.accessDeniedHandler(new BearerTokenAccessDeniedHandler())
);
return http.build();
}
*that is, we just created a resource server and thanks to it we have a BearerTokenAuthenticationFilter in the filter chain, which will now convert and verify our token. But here comes the task: the customer wants to add the ability to release and use login via GitHub and Google in our application, and later Apple, but at the same time maintain the login functionality using their own JWT token. **In this case, how do I configure OAuth 2.0?***
- The next question concerns the implementation of any lesser-known systems. Let’s say YooMoney. It has a standard-compliant OAuth login mechanism using
authorization_code. How do I add it to the configuration? By the way, as for YooMoney, here the token is needed to interact with their API in the future, and not to authorize the application, so you cannot log into applications using this token – you just need to intercept it and save it to the database. - Well, the last question, or rather even a clarification: I am interested in a stateless system, i.e.
SessionCreationPolicy.STATELESS
It has already been described in detail