This repo is an prototype
on the implementation of Spring OAuth2 and currently dev in progress.
Java
installed,Spring boot maven dependency
is configured.
Flow of calls between gateway service and downstream service
Flow of calls from external client
Gateway Service
- 8080
Auth Service
- 7070
Resource Server
- 9000
# get code
http://localhost:7070/authserver/oauth/authorize?response_type=code&client_id=authserver&redirect_uri=http://localhost:8080/&scope=myscope&state=Lq3pSG
# login if prompted
# exchange code with token
http://localhost:7070/authserver/oauth/token?grant_type=authorization_code&client_id=authserver&redirect_uri=http://localhost:8080/&scope=myscope&state=Lq3pSG&code=fTId6p
# call resource endpoint with token (bearer)
http://localhost:9000/user
#call authorize endpoint
http://localhost:7070/authserver/oauth/authorize?response_type=token&client_id=authserver&redirect_uri=http://localhost:8080/&scope=myscope&state=Lq3pSG
# login if prompted
# get redirected back with the token
#call token endpoint directly with client id and secret
http://localhost:7070/authserver/oauth/token?grant_type=client_credentials
# token returned
#call token endpoint directly with client-id secret and username/pwd
http://localhost:7070/authserver/oauth/token?grant_type=password&username=admin&password=admin
#token returned
Configure external client like below sample
spring.security.oauth2.client.registration.vibe.client-id=vibe
spring.security.oauth2.client.registration.vibe.client-secret=passwordforvibeserver
spring.security.oauth2.client.provider.vibe.authorizationUri=http://localhost:7070/authserver/oauth/authorize
spring.security.oauth2.client.provider.vibe.tokenUri=http://localhost:7070/authserver/oauth/token
spring.security.oauth2.client.provider.vibe.userInfoUri=http://localhost:9000/user
spring.security.oauth2.client.registration.vibe.authorizationGrantType=authorization_code
spring.security.oauth2.client.registration.vibe.authorizationGrantType.scope=myscope
spring.security.oauth2.client.registration.vibe.redirectUriTemplate=http://localhost:8081/login/oauth2/code/vibe
spring.security.oauth2.client.provider.vibe.usernameAttribute=name
update Gateway service and (other optional internal clients) with
security:
oauth2: client: accessTokenUri: http://localhost:7070/authserver/oauth/token
userAuthorizationUri: http://localhost:7070/authserver/oauth/authorize
clientId: authserver
clientSecret: passwordforauthserver
resource:
userInfoUri: http://localhost:9000/user
Try to access
http://localhost:8080/personInfo
which internally calls the downstream resource server
http://localhost:9000/person
it will prompt for user authentication at http://localhost:7070/authserver/login
login with credentials defaults are admin:admin and user:user
should display resource information which is protected under http://localhost:9000/person
##TODOS 1.Schedule token and audit table clean up. 2.cloudwatch logs 3.testing 4.complete audit tables 5.dictonary attack + captcha