Skip to content

Instantly share code, notes, and snippets.

@sandipchitale
Last active August 15, 2023 06:20
Show Gist options
  • Save sandipchitale/05f8f2f4bbab06e916ac8d6c930838f7 to your computer and use it in GitHub Desktop.
Save sandipchitale/05f8f2f4bbab06e916ac8d6c930838f7 to your computer and use it in GitHub Desktop.
OAuth2 AS use shared secret key encoded JWT #springboot-oauth2-as-jwt
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity,
OAuth2TokenGenerator<?> tokenGenerator,
RegisteredClientRepository registeredClientRepository) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(httpSecurity);
OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer =
httpSecurity.getConfigurer(OAuth2AuthorizationServerConfigurer.class);
oAuth2AuthorizationServerConfigurer.registeredClientRepository(registeredClientRepository);
// This is really what sets the use of JWT for access token only
oAuth2AuthorizationServerConfigurer.tokenGenerator(tokenGenerator);
return httpSecurity.build();
}
@Bean
public OAuth2TokenGenerator<?> tokenGenerator(@Qualifier("sharedSecretJwtEncoder") JwtEncoder jwtEncoder,
OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer) {
// Use inject encoder from below
JwtGenerator jwtGenerator = new JwtGenerator(jwtEncoder);
// Use injected customizer from below so that JWKSet is not required as we are using shared secret key
jwtGenerator.setJwtCustomizer(jwtCustomizer);
// If you need JWT for refresh token then you have to implement it a subclass of JwtGenerator for refresh token
return new DelegatingOAuth2TokenGenerator(jwtGenerator);
}
// Used by tokenGenerator to set JWT header
@Bean
public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
return context -> {
JwsHeader.Builder headers = context.getJwsHeader();
if (context.getTokenType().equals(OAuth2TokenType.ACCESS_TOKEN) ||
context.getTokenType().equals(OAuth2TokenType.REFRESH_TOKEN)) {
// We are using HS256 with shared secret key
headers.algorithm(MacAlgorithm.HS256);
}
// Other customization
};
}
// Used by tokenGenerator
@Bean
@Qualifier("sharedSecretJwtEncoder")
public JwtEncoder jwtEncoder(@Qualifier("sharedSecretJwkSource") JWKSource<SecurityContext> jwkSource) {
// Use shared secret
return new NimbusJwtEncoder(jwkSource); // Use jwk source from below
}
// Shared secret key base JWKSource - used by jwtEncoder
@Bean
@Qualifier("sharedSecretJwkSource")
public JWKSource<SecurityContext> jwkSource(@Value("${jwt.shared-secret-key}") String sharedSecretKey) {
return new ImmutableSecret<SecurityContext>(
new SecretKeySpec(sharedSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
}
# Authorization server - register client with id client
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-id=client
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-name=client
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-secret=secret
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-authentication-methods=client_secret_basic
spring.security.oauth2.authorizationserver.client.clientrs.registration.authorization-grant-types=authorization_code,refresh_token,client_credentials
spring.security.oauth2.authorizationserver.client.clientrs.registration.scopes=read
spring.security.oauth2.authorizationserver.client.clientrs.registration.redirect-uris=http://localhost:8080/login/oauth2/code/client
spring.security.oauth2.authorizationserver.client.clientrs.token.access-token-time-to-live=180s
spring.security.oauth2.authorizationserver.client.clientrs.token.refresh-token-time-to-live=1800s
jwt.shared-secret-key=a8b5ea4c-3b26-11ee-be56-0242ac120002
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment