Skip to content

Latest commit

 

History

History
41 lines (28 loc) · 2.28 KB

README.md

File metadata and controls

41 lines (28 loc) · 2.28 KB

This repo has been started by @syjer as oauthtest, to cleanup history and make it cleaner for a blog post I created this new Repo

This example is based on the following resources:

How to test:

  1. $ cd authorization-server;mvn spring-boot:run

  2. $ cd resource-server;mvn spring-boot:run

  3. Obtain token with: $ curl service-account-1:service-account-1-secret@localhost:8080/auth/oauth/token -d grant_type=client_credentials and save it in TOKEN=.......

  4. Access the resource with: $ curl -H "Authorization: Bearer $TOKEN" -v localhost:9090

  5. Update the resource with: $ curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -X POST -d "Bonjour" -v localhost:9090

  6. $ cd webapp-server;mvn spring-boot:run

  7. go to localhost:9999 and use the UI :).

You can load the message from backend server, then submit a new one and try to reload. All calls are using JWT, AS is called only the first time, RS checks the client has correct scopes. If token expires it automatically goes to AS to get a new one.

For generating your own key (as written in the stytex.de blog):

keytool -genkeypair -alias jwt -keyalg RSA -dname "CN=jwt, L=Lugano, S=Lugano, C=CH" -keypass mySecretKey -keystore jwt.jks -storepass mySecretKey

copy jwt.jks in authorization-server/src/main/resources/jwk.jks

Notes:

  • Resource server fetch the pubkey of the authentication server, so in production it must be over a secure channel :)
  • If the authentication server is down, and a resource server is launched, the fetch of the public key will fail (but a log message will be written), see spring-attic/spring-security-oauth#734 issue