spring-security-samples icon indicating copy to clipboard operation
spring-security-samples copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Documentation request: Oauth2 Resource Server servicing both REST and MVC endpoints

Open jackdpeterson opened this issue 3 years ago • 0 comments

Overview: the current examples seem to work well when configuring EITHER a REST service OR a WebMVC endpoint using the Client flow. Most applications start as a full-stack flow; then quickly evolve to need to support iOS, Android, or external parties. Given this type of default behavior, I'd love to see some documentation on building a resource server (that can also do client activities) w/ the few additional steps necessary in terms of configuring the Security Filter Chain.

  • Configure two authorization providers (e.g., Google and Github)
  • Support rendering a public facing index "/" w/ a @Controller.
  • Support rendering a private "/authenticated" @Controller
  • Support APIs that authenticate using Bearer tokens (e.g., native app, or JS-based).

Starting points

server:
  port: 8009
  servlet:
    session:
      persistent: false
  error:
    whitelabel:
      enabled: true
logging:
  level:
    org.springframework.security: TRACE
    org.springframework.security.oauth2: TRACE
    org.springframework.web: TRACE
    org.springframework.web.reactive: TRACE
spring:
  security:
    oauth2:
      client:
        registration:
          google:
            clientId: SOME_VALUE.apps.googleusercontent.com
            clientSecret: SOME_SECRET
            redirectUri: "{baseUrl}/login/oauth2/code/{registrationId}"
            scope:
              - openid
              - email
              - profile
      provider:
        google:
          authorizationUri: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent
          tokenUri: https://oauth2.googleapis.com/token
          userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
      resource-server:
        jwt:
          issuer-uri: https://accounts.google.com/.well-known/openid-configuration

@Bean
    SecurityFilterChain defaultSecurityFilterChain(final HttpSecurity http) throws Exception {
        return http
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
                .authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/","/login**", "/webjars**","/assets**").permitAll();
                    auth.anyRequest().authenticated();
                })
                .httpBasic(Customizer.withDefaults())
                .oauth2Login(oauth2 -> oauth2.loginPage(LOGIN_PAGE))
                .formLogin().loginPage(LOGIN_PAGE).and()
                .build();

    }

Merging in something like this?

public SecurityFilterChain resourceServerOauthFilterChain(final HttpSecurity http) throws Exception {
        http
                .requestMatcher(request -> {
                    final String headerValue = request.getHeader("Authorization");
                    return headerValue != null && headerValue.startsWith("Bearer");
                })
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .oauth2ResourceServer().jwt(Customizer.withDefaults());
        return http.build();
    }

jackdpeterson avatar Oct 29 '22 09:10 jackdpeterson