Implements an OAuth2 authentication/authorization server using Spring Boot 4, Spring Authorization Server and Spring Security OAuth2 with:
- Multi-tenancy (
Tenantlinked by foreign keys), and each tenant has its ownbaseUrl(Dual Mapping: FK field + read-only association). - Registration service.
- Captcha validation on login.
- Two-step verification using pluggable SMS service.
- Login based on phone number.
- Support for users with multiple phone numbers and optional national code.
- JWT claims containing roles, username, tenant id, and tenant name, generated via Spring Security OAuth2 JwtEncoder.
- APIs for user roles/permissions, users by role, users by permission.
- Impersonation endpoint.
- Activity logging + active sessions + sign-out other sessions.
- Logback activity logs ready for Logstash shipping to Elasticsearch (for reporting/last-login dashboards).
- Password policy: letter+number required, password expiry, and block reuse of last 3 passwords.
- Password-expiry flow: user logs in by phone, then must change password when expired.
- JPA auditing and optimistic locking (
@Version) in base entity. - DTO grouping as static records per object domain.
- Lombok used for reducing boilerplate (
@Getter,@Setter,@RequiredArgsConstructor,@Slf4j).
mvn spring-boot:runPOST /api/auth/registerPOST /api/auth/login/phonePOST /api/auth/verify-2faPOST /api/auth/password/change-expiredPOST /api/auth/impersonateGET /api/users/{username}/authorizationGET /api/users/by-role/{roleCode}GET /api/users/by-permission/{permissionCode}GET /api/sessions/{username}POST /api/sessions/sign-out-othersGET /api/reports/users/{username}/logsGET /api/reports/users/{username}/activityPOST /api/admin/permissionsGET /api/admin/permissionsGET /api/admin/permissions/{id}PUT /api/admin/permissions/{id}DELETE /api/admin/permissions/{id}POST /api/admin/rolesGET /api/admin/rolesGET /api/admin/roles/{id}PUT /api/admin/roles/{id}DELETE /api/admin/roles/{id}POST /api/tenant-admin/usersGET /api/tenant-admin/usersGET /api/tenant-admin/users/{id}PUT /api/tenant-admin/users/{id}DELETE /api/tenant-admin/users/{id}POST /api/groupsGET /api/groups/{groupId}POST /api/groups/{groupId}/permissions
- Authorization server endpoints are enabled through Spring Authorization Server config (
/oauth2/token, OIDC metadata endpoints, etc.). - Seeded sample OAuth2 client:
client_id:auth-clientclient_secret:auth-secret- grant:
client_credentials
SmsServiceis stubbed to logs and should be replaced with your own SMS provider integration.CaptchaServicecurrently validates non-empty tokens and can be replaced with real captcha verification.logback-spring.xmlemits structured activity logs suitable for Logstash ingestion into Elasticsearch.
- Swagger UI:
/swagger-ui/index.html - OpenAPI doc:
/v3/api-docs
- Collection file:
postman/Auth-Server.postman_collection.json
- Liquibase is enabled and manages schema creation and default seed data.
- Changelogs:
src/main/resources/db/changelog - Default CSV seed files:
src/main/resources/db/data