The first thing to note is that Spring Security OAuth 2.4.0 officially deprecates all its classes. The second thing is that according to the Spring Security – OAuth 2.0 Features Matrix – FAQ: We are no longer planning on adding Authorization Server support to Spring Security. One solution is to use an OAuth2 authorization server … Read more
OAuth 2.0 Client features of Spring Security 5.2.x do not support RestTemplate, but only WebClient. See Spring Security Reference: HTTP Client support WebClient integration for Servlet Environments (for requesting protected resources) In addition, RestTemplate will be deprecated in a future version. See RestTemplate javadoc: NOTE: As of 5.0, the non-blocking, reactive org.springframework.web.reactive.client.WebClient offers a modern … Read more
So you want to use Oauth2 in your application, and you want to use the password flow. You can use the spring security oauth2-resource-server project to implement a resource server. In your resource server you can use the ResourceOwnerPasswordResourceDetails to provide the client_id, client_secret, username and password, The Oauth2RestTemplate can be used to call the … Read more
To test resource server security effectively, both with MockMvc and a RestTemplate it helps to configure an AuthorizationServer under src/test/java: AuthorizationServer @Configuration @EnableAuthorizationServer @SuppressWarnings(“static-method”) class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { @Bean public JwtAccessTokenConverter accessTokenConverter() throws Exception { JwtAccessTokenConverter jwt = new JwtAccessTokenConverter(); jwt.setSigningKey(SecurityConfig.key(“rsa”)); jwt.setVerifierKey(SecurityConfig.key(“rsa.pub”)); jwt.afterPropertiesSet(); return jwt; } @Autowired private AuthenticationManager authenticationManager; @Override public void configure(final … Read more
When you are configuring the ClientDetailsServiceConfigurer, you have to also apply the new password storage format to the client secret. .secret(“{noop}secret”)
In general the easiest answer would be to say that you cannot revoke a JWT token, but that’s simply not true. The honest answer is that the cost of supporting JWT revocation is sufficiently big for not being worth most of the times or plainly reconsider an alternative to JWT. Having said that, in some … Read more