Spring Security JWT and Oauth2

5
votes

I'd like to setup a central authentication / authorization server using Spring Security from where I could fetch JWT token which I could then use for accessing restricted resources on another Spring Security backed up REST server.

Here's my flow:

1) HTML JS / Mobile etc client authenticates on auth server to get the JWT token 2) Client sends this token in HTTP header to REST server to gain access to secured resources

I thought JWT would suite best for this scenario because it can contain all the relevant data and REST server could be fully stateless and simply decode the token to get all necessary data (role, clientid, email...) on REST server.

Is Oauth2 right choice for this and if so could someone kindly point me to right direction? If JWT isn't the right bet, I'm open to other solutions :) I should mention that in my case it's also possible to load client information from database also on REST server, but it should not be responsible for authenticating the user (meaning no username/password check, just the token decoding/validating...)

2
spring-securityjwtspring-security-oauth2

2 Answers

3
votes

The Cloudfoundry UAA is an open source OAuth2 Identity Managemennt Solution (Apache 2) which issues JWT tokens. You could look at the way it is implemented, or just use it yourself, either as a server or just the JARs. It implements a bunch of existing strategies in Spring OAuth. It also optionally has its own user database, or you can implement your own. There are lots of options and extension points and many people using it in various ways (not all with Cloudfoundry) because it was designed to be generic.

Spring OAuth 2.0 also has support for JWT tokens as well, but it isn't released yet (the bulk of the implementation is drawn from the UAA).

However, since you say you don't mind opaque tokens (and a database loookup) you might prefer just to use the JDBC support in Spring OAuth 1.0. It was in use in Cloudfoundry for quite some time before we moved to JWT, so I can vouch for it in production.

As to whether OAuth2 is a good choice for your use case: you are in the best position to decide that. Nothing you said so far makes me think it would be a bad idea. Here's a presentation I did if it helps (you can probably find it on YouTube in the SpringSource channel if you like that sort of thing).

0
votes

Alvaro Sánchez have developed a plugin with jwt compatibility. http://alvarosanchez.github.io/grails-spring-security-rest/1.5.0.RC4/docs/guide/tokenStorage.html#jwt

Install the current version in BuildConfig.groovy:

    compile ":spring-security-rest:1.5.0.RC4", {
        excludes: 'spring-security-core'
    }

You only must to change the secret option in Config.groovy

    grails.plugin.springsecurity.rest.token.storage.jwt.secret = 'YourSecretKey'

And set a chainMap to separate security managed with traditional mode from new rest stateless security.

    grails.plugin.springsecurity.filterChain.chainMap = [
        '/yourApi/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter',    // Stateless chain
        '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'                                                                          // Traditional chain
    ]

You can to manage authorization and authentication within your application with the spring-security-core plugin.