Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Tree: 8e9c044dcc
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
oauth2
/
resource-server
/
index.adoc

index.adoc 4.6 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. [[oauth2resourceserver]]
    2. 

  2. = OAuth 2.0 Resource Server
    3. 

  3. :figures: servlet/oauth2
    4. 

  4. 

  5. Spring Security supports protecting endpoints by using two forms of OAuth 2.0 https://tools.ietf.org/html/rfc6750.html[Bearer Tokens]:
    6. 

  6. 

  7. * https://tools.ietf.org/html/rfc7519[JWT]
    8. 

  8. * Opaque Tokens
    9. 

  9. 

  10. This is handy in circumstances where an application has delegated its authority management to an https://tools.ietf.org/html/rfc6749[authorization server] (for example, Okta or Ping Identity).
    11. 

  11. This authorization server can be consulted by resource servers to authorize requests.
    12. 

  12. 

  13. This section details how Spring Security provides support for OAuth 2.0 https://tools.ietf.org/html/rfc6750.html[Bearer Tokens].
    14. 

  14. 

  15. [NOTE]
    16. 

  16. ====
    17. 

  17. Working samples for both {gh-samples-url}/servlet/spring-boot/java/oauth2/resource-server/jwe[JWTs] and {gh-samples-url}/servlet/spring-boot/java/oauth2/resource-server/opaque[Opaque Tokens] are available in the {gh-samples-url}[Spring Security Samples repository].
    18. 

  18. ====
    19. 

  19. 

  20. Now we can consider how Bearer Token Authentication works within Spring Security.
    21. 

  21. First, we see that, as with xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic Authentication], the https://tools.ietf.org/html/rfc7235#section-4.1[WWW-Authenticate] header is sent back to an unauthenticated client:
    22. 

  22. 

  23. .Sending WWW-Authenticate Header
    24. 

  24. image::{figures}/bearerauthenticationentrypoint.png[]
    25. 

  25. 

  26. The figure above builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram.
    27. 

  27. 

  28. image:{icondir}/number_1.png[] First, a user makes an unauthenticated request to the `/private` resource for which the user is not authorized.
    29. 

  29. 

  30. image:{icondir}/number_2.png[] Spring Security's xref:servlet/authorization/authorize-http-requests.adoc[`AuthorizationFilter`] indicates that the unauthenticated request is _Denied_ by throwing an `AccessDeniedException`.
    31. 

  31. 

  32. image:{icondir}/number_3.png[] Since the user is not authenticated, xref:servlet/architecture.adoc#servlet-exceptiontranslationfilter[`ExceptionTranslationFilter`] initiates _Start Authentication_.
    33. 

  33. The configured xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationentrypoint[`AuthenticationEntryPoint`] is an instance of {security-api-url}org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationEntryPoint.html[`BearerTokenAuthenticationEntryPoint`], which sends a `WWW-Authenticate` header.
    34. 

  34. The `RequestCache` is typically a `NullRequestCache` that does not save the request, since the client is capable of replaying the requests it originally requested.
    35. 

  35. 

  36. When a client receives the `WWW-Authenticate: Bearer` header, it knows it should retry with a bearer token.
    37. 

  37. The following image shows the flow for the bearer token being processed:
    38. 

  38. 

  39. [[oauth2resourceserver-authentication-bearertokenauthenticationfilter]]
    40. 

  40. .Authenticating Bearer Token
    41. 

  41. image::{figures}/bearertokenauthenticationfilter.png[]
    42. 

  42. 

  43. The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram.
    44. 

  44. 

  45. image:{icondir}/number_1.png[] When the user submits their bearer token, the `BearerTokenAuthenticationFilter` creates a `BearerTokenAuthenticationToken` which is a type of xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[`Authentication`] by extracting the token from the `HttpServletRequest`.
    46. 

  46. 

  47. image:{icondir}/number_2.png[] Next, the `HttpServletRequest` is passed to the `AuthenticationManagerResolver`, which selects the `AuthenticationManager`. The `BearerTokenAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated.
    48. 

  48. The details of what `AuthenticationManager` looks like depends on whether you're configured for xref:servlet/oauth2/resource-server/jwt.adoc#oauth2resourceserver-jwt-minimalconfiguration[JWT] or xref:servlet/oauth2/resource-server/opaque-token.adoc#oauth2resourceserver-opaque-minimalconfiguration[opaque token].
    49. 

  49. 

  50. image:{icondir}/number_3.png[] If authentication fails, then __Failure__
    51. 

  51. 

  52. * The xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder] is cleared out.
    53. 

  53. * The `AuthenticationEntryPoint` is invoked to trigger the WWW-Authenticate header to be sent again.
    54. 

  54. 

  55. image:{icondir}/number_4.png[] If authentication is successful, then __Success__.
    56. 

  56. 

  57. * The xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[Authentication] is set on the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
    58. 

  58. * The `BearerTokenAuthenticationFilter` invokes `FilterChain.doFilter(request,response)` to continue with the rest of the application logic.
    59.