Micro-services are very popular in the application architecture and more and more enterprises have turned the single instance system to micro-service. Ideally, the variety of services can be built by different teams with different programming languages such as Nodejs, Java, Go or others. Security is ALWAYS one of the top factors we should take into consideration when doing the design. Spring.io has provided a series of practical frameworks to help developers to construct, manage and monitor the micro-service. In our engineering, we built the Restful service with Spring boot and secured it with Spring security, oAuth2 model, and JSON web token (JWT).
What is the Spring oAuth2 Mechanism?
oAuth2 is quite different with oAuth1 though they have common features. In the oAuth2 model, there is an authorization server and a couple of resource servers which are protected by the auth server. We can see it in the below diagram:
With Spring security, all of the client rest calls will go through the Auth server and should pass the user-defined filter and then access the resource. Here, resources can be across applications. For example, we may provide the customer service, transportation, and order service on different services. Out of several end points, there are two import ones: the Authorization end point and the token end point for service requests. As the authorization provider, we can configure the service grant type as: password, user detail service, auth code service, or the token granter.
In our case, we will have to handle different types of uses such as enterprise employees and public social network users. Therefore, we have been implementing them with the user detail service.
How to Implement the Authorization and Token Configuration
With spring, the developer could do lots of injections to simplify the process. Basically, there are some required steps to enable the authorization process to work:
- Register a Bean or add a configuration class which is annotated with @EnableAuthorizationServer
- Extends from AuthorizationServerConfigurerAdapter
- Or implements a class for the AuthorizationServerConfigurer. In this part, we will need the configuration code to override 3 configure methods, which means we need to complete 3 parts of the configuration: AuthorizationServerSecurityConfigurer, ClientDetailsServiceConfigurer, and AuthorizationServerEndpointsConfigurer.
- With the ClientDetailServiceConfiguer, we can configure which token store to use. By default, it is in memory.
- Configure the client detail service by providing the client id, scope and grant type, and the token expiration time. Note: the user detail and client detail are different concepts in Spring oAuth.
- In the Endpoint configurer, to bind to specific userdetailservice, token store and authorization manager.
- In either Spring boot or Spring MVC projects, we will need a resolver to intercept the service request if we attempt to get some information such as user name. Then we can add the user authorization logic in the UserDetailService.
- Finally, we can configure the converter to convert the Token to be JSON web token format.
Actually, there are many ways that you can implement the oAuth2 model and I suggest that you get started by looking at some Sample apps: https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2