spring boot OAuth2 role based authorization

8
votes

We have a dedicated authorization server extending AuthorizationServerConfigurerAdapter, where we have set authorities overriding void configure(ClientDetailsServiceConfigurer clients) method.

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Value('${oauth.clientId}')
    private String clientId

    @Value('${oauth.secret:}')
    private String secret

    @Value('${oauth.resourceId}')
    private String resourceId

    @Autowired
    @Qualifier('authenticationManagerBean')
    private AuthenticationManager authenticationManager

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        return new JwtAccessTokenConverter();
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.checkTokenAccess("permitAll()")
        oauthServer.allowFormAuthenticationForClients()
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager)
                .accessTokenConverter(accessTokenConverter())
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient(clientId)
                .secret(secret)
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("USER", "ADMIN")
                .scopes("read", "write", "trust")
                .resourceIds(resourceId)
    }

Now how to use the authorities in the resource server for role based authorization. We are able to authenticate via authorization server generated token. Need help.

2
oauth-2.0spring-bootspring-security-oauth2spring-oauth2

2 Answers

9
votes

In the resource server you should extend the ResourceServerConfigurerAdapter to configure the requestMatchers and set the role for each resource. 

@Configuration
@EnableResourceServer
public class OAuth2Config extends ResourceServerConfigurerAdapter {

    @Value("${keys.public}")
    private String publicKey;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .requestMatchers()
                .antMatchers("/**")
                .and()
                .authorizeRequests()
                .antMatchers("/service1/**").access("#oauth2.hasScope('ADMIN')")
                .antMatchers("/service2/**").access("#oauth2.hasScope('USER')");
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.tokenStore(tokenStore());
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        JwtAccessTokenConverter tokenConverter = new JwtAccessTokenConverter();
        tokenConverter.setVerifierKey(publicKey);
        return tokenConverter;
    }
}
1
votes

You have received a token from the auth server. You can now use that token to make another request to the auth server to retrieve the user object. This json object would contain roles(authority). The request would look like as follows.

    curl -H "Authorization: Bearer 2a953581-e9c9-4278-b42e-8af925f49a99"  
    http://localhost:9999/uaa/user

In order to do this, you need to create user service endpoint and implement UserDetailsService also.

    @RequestMapping("/user")
public Principal user(Principal user) {
    return user;
}
    @Bean
     UserDetailsService userDetailsService.....

The role list is created and set in the org.springframework.security.core.userdetailsin the UserDetailsService.User as follows. 

AuthorityUtils.createAuthorityList("ROLE_USER", "ROLE_ADMIN"));