DEV Community

Andrew Kang-G
Andrew Kang-G

Posted on • Edited on

Spring Security Oauth2 Password JPA Implementation

https://github.com/patternknife/spring-security-oauth2-password-jpa-implementation

  • Complete separation of the library (API) and the client for testing it

    io.github.patternknife.securityhelper.oauth2.api
    spring-security-oauth2-password-jpa-implementation
    2.4.0

  • Set up the same access & refresh token APIs on both /oauth2/token and on our controller layer such as /api/v1/traditional-oauth/token, both of which function same and have the same request & response payloads for success and errors.

    • As you are aware, the API /oauth2/token is what "spring-authorization-server" provides.
    • /api/v1/traditional-oauth/token is what this library implemented manually.

Success Payload
{
"access_token" : "Vd4x8D4lDg7VBFh...",
"token_type" : "Bearer",
"refresh_token" : "m3UgLrvPtXKdy7jiD...",
"expires_in" : 3469,
"scope" : "read write"
}
Error Payload
{
"timestamp": 1719470948370,
"message": "Couldn't find the client ID : client_admin", // Sensitive info such as being thrown from StackTraces
"details": "uri=/oauth2/token",
"userMessage": "Authentication failed. Please check your credentials.",
"userValidationMessage": null
}

  • In the following error payload, the 'message' shouldn't be exposed to clients; instead, the 'userMessage' should be.
    Authentication management based on a combination of username, client ID, and App-Token

    • What is an App-Token? An App-Token is a new access token generated each time the same account logs in. If the token values are the same, the same access token is shared.
  • Separated UserDetails implementation for Admin and Customer roles as an example. (This can be extended as desired by implementing UserDetailsServiceFactory)

  • Provide MySQL DDL, which consists of oauth_access_token, oauth_refresh_token and oauth_client_details, which is tables in Security 5. As I mean to migrate current security system to Security 6, I haven't changed them to the authorization table indicated in https://github.com/spring-projects/spring-authorization-server.

  • Application of Spring Rest Docs

Top comments (0)