Build a spring boot oauth server with mariadb or postgresql db.
init schema
- mariadb/1.2.7-schema.sql
- postgresql/script/init-db.sh, for container env initialize.
defualt application.properties connect to mariadb; if you run on dev container / gitpod, replace all datasource config in every application.properties
spring.datasource.url=jdbc:postgresql://postgresqldb:5432/authorization_server
spring.datasource.username=postgres
spring.datasource.password=example
spring.datasource.driver-class-name=org.postgresql.Driver
running ssoserver (it is an authenication server) at localhost:8081/auth
cd ssoserver/npmLib
npm install
npm run postbuild
cd ../../
# edit ssoserver/src/main/resources/application.properties to change db connection
mvn clean compile spring-boot:run -pl ssoserver -amrunning role-server (it is a resource server) at localhost:8082/res
# edit role-server/src/main/resources/application.properties to change db connection
mvn spring-boot:run -pl role-server -amrunning ssoclient (it is a client server, with server side authentication) at 127.0.0.1:8080 . because of redirect-uri in db is marked as 127.0.0.1, it cannot change to localhost. it will input username:password at localhost:8081/auth, and check role through localhost:8082/res
mvn spring-boot:run -pl ssoclient -amcd ssoserver/npmLib && npm ci && npm run postbuild && cd ../../
mvn clean compile package
cp role-server/target/*.war role-server.war
cp ssoserver/target/*.war ssoserver.war
touch application-sso.properties
# add db connection, server.port, server.servlet.context-path on application-sso.properties to overwrite default value
java -jar ssoserver.war --spring.profiles.active=sso
touch application-role.properties
# add db connection, server.port, server.servlet.context-path on application-role.properties to overwrite default value
java -jar role-server.war --spring.profiles.active=role# for spring-security-oauth2-authorization-server, if its client_authentication_methods is "client_secret_basic"
# it means that you need to base64 encode "client_id:client_secret" and put in header "Authorization: Basic base64(client_id:client_secret)"
# scope is optional
curl -v -X POST \
http://localhost:8081/auth/oauth2/token \
-F scope="message.read message.write" \
-F grant_type=client_credentials \
-H "Authorization: Basic bWVzc2FnaW5nLWNsaWVudDI6c2VjcmV0"
# for spring-security-oauth2-authorization-server, if its client_authentication_methods is "client_secret_post"
# then it act as the old one
curl -v -X POST \
http://localhost:8081/auth/oauth2/token \
-F scope="message.read message.write" \
-F grant_type=client_credentials \
-F client_id=messaging-client2 \
-F client_secret=secretgenerate access token by client_credentials or authorization_code. password authenication is not support.
# TODO write example about authorization_codeuse access token to visit resource server
# if your token has scope message.read, you could try this
curl -v http://localhost:8082/res/api/testScopeRead -H "Authorization: Bearer xxxx"
# if your token has scope app_role
curl -v http://localhost:8082/res/api/appRole -H "Authorization: Bearer xxxx"
# you will get 403 if scope is wrongrevoke access token and refresh_token
curl -v -X POST http://localhost:8081/auth/oauth2/revoke \
-H "Authorization: Basic bWVzc2FnaW5nLWNsaWVudDI6c2VjcmV0" \
-F token_type_hint=access_token \
-F token=xxx
curl -v -X POST http://localhost:8081/auth/oauth2/revoke \
-H "Authorization: Basic bWVzc2FnaW5nLWNsaWVudDI6c2VjcmV0" \
-F token_type_hint=refresh_token \
-F token=xxxrefresh
curl -v -X POST \
http://localhost:8081/auth/oauth2/token \
-H "Authorization: Basic bWVzc2FnaW5nLWNsaWVudDI6c2VjcmV0" \
-F grant_type=refresh_token \
-F refresh_token=xxxFor resource server to verify token. That is, forward the token to auth server to check if it valid
# the client_id and client_secret need not to be the original client.
# that is, the token was generated by messaging-client, it still can verified by messaging-client2
curl -v -X POST \
http://localhost:8081/auth/oauth2/introspect \
-H "Authorization: Basic bWVzc2FnaW5nLWNsaWVudDI6c2VjcmV0" \
-F token=xxx
# response will look like below.
# {"active":true,"sub":"messaging-client2","aud":["messaging-client2"],"nbf":1675400912,"scope":"app_role","iss":"http://localhost:8081/auth","exp":1675401212,"iat":1675400912,"client_id":"messaging-client2","token_type":"Bearer"}to be revise with new framework
curl -v -X GET "http://localhost:8081/auth/oauth/authorize?client_id=spring-security-oauth2-read-write-client&response_type=code&state=5ca75bd30&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fmy-client-2"
curl -v -X GET "http://localhost:8081/auth/login" --cookie "SESSION=ZWUyZWUzY2QtNTdhZi00ODE2LWFjNzItZWY1N2E1ZjJkZGI4"
curl -v -X POST "http://localhost:8081/auth/login" --cookie "SESSION=ZWUyZWUzY2QtNTdhZi00ODE2LWFjNzItZWY1N2E1ZjJkZGI4" -F _csrf=b50d4f23-a77e-4ddb-970b-42e64509e136 -F username=john -F password=456
curl -v -X GET "http://localhost:8081/auth/oauth/authorize?client_id=spring-security-oauth2-read-write-client&response_type=code&state=5ca75bd30&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fmy-client-2" --cookie "SESSION=OGM2NTdmYjgtMjA4Mi00MmIzLTk5MzEtNWQ2ZTU2MTM3NzMz"
curl -v -X POST "http://localhost:8081/auth/oauth/authorize" --cookie "SESSION=OGM2NTdmYjgtMjA4Mi00MmIzLTk5MzEtNWQ2ZTU2MTM3NzMz" -F _csrf=16fb5657-9ed0-4833-a523-7e1e64aaa364 -F user_oauth_approval=true -F scope.read=true -F scope.write=true -F scope.full_user_list=false -F scope.user_management=false
http://localhost:8080/login/oauth2/code/my-client-2?code=PEio1w&state=5ca75bd30
curl -X POST \
http://localhost:8081/auth/oauth/token \
-F grant_type=authorization_code \
-F redirect_uri="http://localhost:8080/login/oauth2/code/my-client-2" \
-F code=PEio1w \
-F client_id=spring-security-oauth2-read-write-client \
-F client_secret=spring-security-oauth2-read-write-client-password1234
{"access_token":"6e58306a-c371-4aa8-9dac-80083c7aab7f","token_type":"bearer","refresh_token":"d14c9aca-d7ab-49e6-bd05-5705aa6927d6","expires_in":10799,"scope":"read write"}