Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
src
README.adoc
spring-security-samples-boot-oauth2resourceserver-multitenancy.gradle

README.adoc

OAuth 2.0 Resource Server Sample

This sample demonstrates integrating Resource Server with a mock Authorization Server, though it can be modified to integrate with your favorite Authorization Server.

With it, you can run the integration tests or run the application as a stand-alone service to explore how you can secure your own service with OAuth 2.0 Bearer Tokens using Spring Security.

1. Running the tests

To run the tests, do:

./gradlew integrationTest

Or import the project into your IDE and run OAuth2ResourceServerApplicationTests from there.

What is it doing?

By default, the tests are pointing at a mock Authorization Server instance.

The tests are configured with a set of hard-coded tokens originally obtained from the mock Authorization Server, and each makes a query to the Resource Server with their corresponding token.

The Resource Server subsequently verifies with the Authorization Server and authorizes the request, returning either the phrase

Hello, subject for tenantOne!

where "subject" is the value of the sub field in the JWT sent in the Authorization header,

or the phrase

Hello, subject for tenantTwo!

where "subject" is the value of the sub field in the Introspection response from the Authorization Server.

2. Running the app

To run as a stand-alone application, do:

./gradlew bootRun

Or import the project into your IDE and run OAuth2ResourceServerApplication from there.

Authorizing with tenantOne (JWT)

Once it is up, you can use the following token:

export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0IiwiZXhwIjo0NjgzODA1MTI4fQ.ULEPdHG-MK5GlrTQMhgqcyug2brTIZaJIrahUeq9zaiwUSdW83fJ7W1IDd2Z3n4a25JY2uhEcoV95lMfccHR6y_2DLrNvfta22SumY9PEDF2pido54LXG6edIGgarnUbJdR4rpRe_5oRGVa8gDx8FnuZsNv6StSZHAzw5OsuevSTJ1UbJm4UfX3wiahFOQ2OI6G-r5TB2rQNdiPHuNyzG5yznUqRIZ7-GCoMqHMaC-1epKxiX8gYXRROuUYTtcMNa86wh7OVDmvwVmFioRcR58UWBRoO1XQexTtOQq_t8KYsrPZhb9gkyW8x2bAQF-d0J0EJY8JslaH6n4RBaZISww

And then make this request:

curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantOne

Which will respond with the phrase:

Hello, subject for tenantOne!

where subject is the value of the sub field in the JWT sent in the Authorization header.

Or this:

export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0Iiwic2NvcGUiOiJtZXNzYWdlOnJlYWQiLCJleHAiOjQ2ODM4MDUxNDF9.h-j6FKRFdnTdmAueTZCdep45e6DPwqM68ZQ8doIJ1exi9YxAlbWzOwId6Bd0L5YmCmp63gGQgsBUBLzwnZQ8kLUgUOBEC3UzSWGRqMskCY9_k9pX0iomX6IfF3N0PaYs0WPC4hO1s8wfZQ-6hKQ4KigFi13G9LMLdH58PRMK0pKEvs3gCbHJuEPw-K5ORlpdnleUTQIwINafU57cmK3KocTeknPAM_L716sCuSYGvDl6xUTXO7oPdrXhS_EhxLP6KxrpI1uD4Ea_5OWTh7S0Wx5LLDfU6wBG1DowN20d374zepOIEkR-Jnmr_QlR44vmRqS5ncrF-1R0EGcPX49U6A

curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantOne/message

Will respond with:

secret message for tenantOne

Authorizing with tenantTwo (Opaque token)

Once it is up, you can use the following token:

export TOKEN=00ed5855-1869-47a0-b0c9-0f3ce520aee7

And then make this request:

curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantTwo

Which will respond with the phrase:

Hello, subject for tenantTwo!

where subject is the value of the sub field in the Introspection response from the Authorization Server.

Or this:

export TOKEN=b43d1500-c405-4dc9-b9c9-6cfd966c34c9

curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantTwo/message

Will respond with:

secret message for tenantTwo

2. Testing against other Authorization Servers

In order to use this sample, your Authorization Server must support JWTs that either use the "scope" or "scp" attribute.

To change the sample to point at your Authorization Server, simply find these properties in the application.yml:

tenantOne.jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
tenantTwo.introspection-uri: ${mockwebserver.url}/introspect
tenantTwo.introspection-client-id: client
tenantTwo.introspection-client-secret: secret

And change the properties to your Authorization Server’s JWK set endpoint and introspection endpoint, including its client id and secret

tenantOne.jwk-set-uri: https://dev-123456.oktapreview.com/oauth2/default/v1/keys
tenantTwo.introspection-uri: https://dev-123456.oktapreview.com/oauth2/default/v1/introspect
tenantTwo.introspection-client-id: client
tenantTwo.introspection-client-secret: secret

And then you can run the app the same as before:

./gradlew bootRun

Make sure to obtain valid tokens from your Authorization Server in order to play with the sample Resource Server. To use the / endpoint, any valid token from your Authorization Server will do. To use the /message endpoint, the token should have the message:read scope.

You can’t perform that action at this time.