gary-archer/oauth.apisample.javaspringboot

Final OAuth secured Java API Code Sample

Final Java Spring Boot API

Behaviour

The final OAuth secured Java API code sample:

• The API has a fictional business area of investments, but simply returns hard coded data
• The API takes finer control over OAuth and claims to enable the best security with good manageability
• The API uses structured logging and log aggregation, for the best supportability

API integrates with UI Clients

The API can run as part of an OAuth end-to-end setup, to serve my blog's UI code samples.
Running the API in this manner forces it to be consumer focused to its clients:

API can be Productively Tested

The API's clients are UIs, which get user level access tokens by running an OpenID Connect code flow.
For productive test driven development, the API instead mocks the Authorization Server:

API can be Load Tested

A basic load test uses Completable Futures to fire 5 parallel requests at a time at the API.
This ensures no concurrency problems, and error rehearsal is used to ensure useful error responses:

API is Supportable

API logs can be analysed in use case based manner by running Elasticsearch SQL and Lucene queries.
Follow the Technical Support Queries for some people friendly examples:

Commands

Prerequisites

• Ensure that a Java 21+ SDK is installed
• Integration tests run Wiremock in Docker, so ensure that Docker is installed

Run the API

Then run the API in isolation with this command:

./start.sh

Configure DNS and SSL

Configure DNS by adding these domains to your hosts file:

127.0.0.1 localhost api.authsamples-dev.com login.authsamples-dev.com

Then call an endpoint over port 446:

curl -k https://api.authsamples-dev.com:446/investments/companies

Then configure SSL trust by running this command:

sudo "$JAVA_HOME/bin/keytool" -import -alias authsamples.ca -cacerts -file ./certs/authsamples-dev.ca.pem -storepass changeit -noprompt

Clean up after testing with this command:

sudo "$JAVA_HOME/bin/keytool" -delete -alias authsamples.ca -cacerts -storepass changeit -noprompt

Test the API

Stop the API, then re-run it with a test configuration:

./testsetup.sh

Then run integration tests and a load test:

./gradlew test
./gradlew loadtest

Further Details

• See the API Journey - Server Side for further information on the API behaviour
• See the Overview Page for further details on running the API
• See the OAuth Integration Page for the security implementation

Programming Languages

• Java 21 and Spring Boot 3 are used to implement the REST API

Infrastructure

• The Tomcat web server hosts the API over SSL
• AWS Cognito is used as the default Authorization Server
• The jose4j library is used to manage in memory validation of JWTs
• The project includes API deployment resources for Docker and Kubernetes