Bublik Bublik - 3 months ago 70
Java Question

Spring OAuth2 explain Authorization server configuration

I am trying to implement OAuth security and met a problem that for me is not clear enough configuration class.

While implementing

AuthorizationServerConfigurer
i have three configurers:


  • ClientDetailsServiceConfigurer
    used to provide the way how and from where to get client details. As an example, it can be service which provides registered clients from the database.



When it comes to
AuthorizationServerSecurityConfigurer
and
AuthorizationServerEndpointsConfigurer
I am not sure what they does and how they should be configured. in documentation is said only:


AuthorizationServerEndpointsConfigurer
: defines the authorization and
token endpoints and the token services.


Maybe someone can explain in simple words what this two configurers does/are used for.

Answer

AuthorizationServerConfigurer's javadoc is more informative than the linked documentation. AuthorizationServerSecurityConfigurer, as its name suggests, configures the security of the Authorization Server itself. For example you can override the OAuth endpoints security such as /oauth/token, provide an access denied handler or restrict to SSL access. Here are what the documentation says about it:

Configure the security of the Authorization Server, which means in practical terms the /oauth/token endpoint. The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a basic server up and running.

As for AuthorizationServerEndpointsConfigurer:

Configure the non-security features of the Authorization Server endpoints, like token store, token customizations, user approvals and grant types. You shouldn't need to do anything by default, unless you need password grants, in which case you need to provide an AuthenticationManager.

Here is a sample from one of my projects:

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints
            .authenticationManager(authenticationManager)
            .tokenStore(jwtTokenStore())
            .tokenEnhancer(tokenEnhancer());
}

Here I provided a JwtTokenStore as my TokenStore and a AuthenticationManager since I was using Password Grants.

Comments