github
/
spring-security-samples
镜像来自 https://github.com/spring-projects/spring-security-samples


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155
							= OAuth 2.0 Resource Server Sample

This sample demonstrates integrating Resource Server with a mock Authorization Server, though it can be modified to integrate
with your favorite Authorization Server.

With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
secure your own service with OAuth 2.0 Bearer Tokens using Spring Security.

== 1. Running the tests

To run the tests, do:

```bash
./gradlew integrationTest
```

Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there.

=== What is it doing?

By default, the tests are pointing at a mock Authorization Server instance.

The tests are configured with a set of hard-coded tokens originally obtained from the mock Authorization Server,
and each makes a query to the Resource Server with their corresponding token.

The Resource Server subsequently verifies with the Authorization Server and authorizes the request, returning either the
phrase

```bash
Hello, subject for tenantOne!
```

where "subject" is the value of the `sub` field in the JWT sent in the `Authorization` header,

or the phrase
```bash
Hello, subject for tenantTwo!
```
where "subject" is the value of the `sub` field in the Introspection response from the Authorization Server.


== 2. Running the app

To run as a stand-alone application, do:

```bash
./gradlew bootRun
```

Or import the project into your IDE and run `OAuth2MultitenancyResourceServerApplication` from there.

=== Authorizing with tenantOne (JWT)

Once it is up, you can use the following token:

```bash
export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0IiwiZXhwIjo0NjgzODA1MTI4fQ.ULEPdHG-MK5GlrTQMhgqcyug2brTIZaJIrahUeq9zaiwUSdW83fJ7W1IDd2Z3n4a25JY2uhEcoV95lMfccHR6y_2DLrNvfta22SumY9PEDF2pido54LXG6edIGgarnUbJdR4rpRe_5oRGVa8gDx8FnuZsNv6StSZHAzw5OsuevSTJ1UbJm4UfX3wiahFOQ2OI6G-r5TB2rQNdiPHuNyzG5yznUqRIZ7-GCoMqHMaC-1epKxiX8gYXRROuUYTtcMNa86wh7OVDmvwVmFioRcR58UWBRoO1XQexTtOQq_t8KYsrPZhb9gkyW8x2bAQF-d0J0EJY8JslaH6n4RBaZISww
```

And then make this request:

```bash
curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantOne
```

Which will respond with the phrase:

```bash
Hello, subject for tenantOne!
```

where `subject` is the value of the `sub` field in the JWT sent in the `Authorization` header.

Or this:

```bash
export TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzdWJqZWN0Iiwic2NvcGUiOiJtZXNzYWdlOnJlYWQiLCJleHAiOjQ2ODM4MDUxNDF9.h-j6FKRFdnTdmAueTZCdep45e6DPwqM68ZQ8doIJ1exi9YxAlbWzOwId6Bd0L5YmCmp63gGQgsBUBLzwnZQ8kLUgUOBEC3UzSWGRqMskCY9_k9pX0iomX6IfF3N0PaYs0WPC4hO1s8wfZQ-6hKQ4KigFi13G9LMLdH58PRMK0pKEvs3gCbHJuEPw-K5ORlpdnleUTQIwINafU57cmK3KocTeknPAM_L716sCuSYGvDl6xUTXO7oPdrXhS_EhxLP6KxrpI1uD4Ea_5OWTh7S0Wx5LLDfU6wBG1DowN20d374zepOIEkR-Jnmr_QlR44vmRqS5ncrF-1R0EGcPX49U6A

curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantOne/message
```

Will respond with:

```bash
secret message for tenantOne
```

=== Authorizing with tenantTwo (Opaque token)

Once it is up, you can use the following token:

```bash
export TOKEN=00ed5855-1869-47a0-b0c9-0f3ce520aee7
```

And then make this request:

```bash
curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantTwo
```

Which will respond with the phrase:

```bash
Hello, subject for tenantTwo!
```

where `subject` is the value of the `sub` field in the Introspection response from the Authorization Server.

Or this:

```bash
export TOKEN=b43d1500-c405-4dc9-b9c9-6cfd966c34c9

curl -H "Authorization: Bearer $TOKEN" localhost:8080/tenantTwo/message
```

Will respond with:

```bash
secret message for tenantTwo
```

== 2. Testing against other Authorization Servers

_In order to use this sample, your Authorization Server must support JWTs that either use the "scope" or "scp" attribute._

To change the sample to point at your Authorization Server, simply find these properties in the `application.yml`:

```yaml
tenantOne.jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
tenantTwo.introspection-uri: ${mockwebserver.url}/introspect
tenantTwo.introspection-client-id: client
tenantTwo.introspection-client-secret: secret
```

And change the properties to your Authorization Server's JWK set endpoint and
introspection endpoint, including its client id and secret

```yaml
tenantOne.jwk-set-uri: https://dev-123456.oktapreview.com/oauth2/default/v1/keys
tenantTwo.introspection-uri: https://dev-123456.oktapreview.com/oauth2/default/v1/introspect
tenantTwo.introspection-client-id: client
tenantTwo.introspection-client-secret: secret
```

And then you can run the app the same as before:

```bash
./gradlew bootRun
```

Make sure to obtain valid tokens from your Authorization Server in order to play with the sample Resource Server.
To use the `/` endpoint, any valid token from your Authorization Server will do.
To use the `/message` endpoint, the token should have the `message:read` scope.