Last active
August 15, 2023 06:20
-
-
Save sandipchitale/05f8f2f4bbab06e916ac8d6c930838f7 to your computer and use it in GitHub Desktop.
OAuth2 AS use shared secret key encoded JWT #springboot-oauth2-as-jwt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@Bean | |
@Order(Ordered.HIGHEST_PRECEDENCE) | |
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity, | |
OAuth2TokenGenerator<?> tokenGenerator, | |
RegisteredClientRepository registeredClientRepository) throws Exception { | |
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(httpSecurity); | |
OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer = | |
httpSecurity.getConfigurer(OAuth2AuthorizationServerConfigurer.class); | |
oAuth2AuthorizationServerConfigurer.registeredClientRepository(registeredClientRepository); | |
// This is really what sets the use of JWT for access token only | |
oAuth2AuthorizationServerConfigurer.tokenGenerator(tokenGenerator); | |
return httpSecurity.build(); | |
} | |
@Bean | |
public OAuth2TokenGenerator<?> tokenGenerator(@Qualifier("sharedSecretJwtEncoder") JwtEncoder jwtEncoder, | |
OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer) { | |
// Use inject encoder from below | |
JwtGenerator jwtGenerator = new JwtGenerator(jwtEncoder); | |
// Use injected customizer from below so that JWKSet is not required as we are using shared secret key | |
jwtGenerator.setJwtCustomizer(jwtCustomizer); | |
// If you need JWT for refresh token then you have to implement it a subclass of JwtGenerator for refresh token | |
return new DelegatingOAuth2TokenGenerator(jwtGenerator); | |
} | |
// Used by tokenGenerator to set JWT header | |
@Bean | |
public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() { | |
return context -> { | |
JwsHeader.Builder headers = context.getJwsHeader(); | |
if (context.getTokenType().equals(OAuth2TokenType.ACCESS_TOKEN) || | |
context.getTokenType().equals(OAuth2TokenType.REFRESH_TOKEN)) { | |
// We are using HS256 with shared secret key | |
headers.algorithm(MacAlgorithm.HS256); | |
} | |
// Other customization | |
}; | |
} | |
// Used by tokenGenerator | |
@Bean | |
@Qualifier("sharedSecretJwtEncoder") | |
public JwtEncoder jwtEncoder(@Qualifier("sharedSecretJwkSource") JWKSource<SecurityContext> jwkSource) { | |
// Use shared secret | |
return new NimbusJwtEncoder(jwkSource); // Use jwk source from below | |
} | |
// Shared secret key base JWKSource - used by jwtEncoder | |
@Bean | |
@Qualifier("sharedSecretJwkSource") | |
public JWKSource<SecurityContext> jwkSource(@Value("${jwt.shared-secret-key}") String sharedSecretKey) { | |
return new ImmutableSecret<SecurityContext>( | |
new SecretKeySpec(sharedSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256")); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Authorization server - register client with id client | |
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-id=client | |
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-name=client | |
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-secret=secret | |
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-authentication-methods=client_secret_basic | |
spring.security.oauth2.authorizationserver.client.clientrs.registration.authorization-grant-types=authorization_code,refresh_token,client_credentials | |
spring.security.oauth2.authorizationserver.client.clientrs.registration.scopes=read | |
spring.security.oauth2.authorizationserver.client.clientrs.registration.redirect-uris=http://localhost:8080/login/oauth2/code/client | |
spring.security.oauth2.authorizationserver.client.clientrs.token.access-token-time-to-live=180s | |
spring.security.oauth2.authorizationserver.client.clientrs.token.refresh-token-time-to-live=1800s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jwt.shared-secret-key=a8b5ea4c-3b26-11ee-be56-0242ac120002 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment