Secure Client to Server Communication with Spring Boot

Hi, i have a use case where:

  • Spring Boot based Application ‘A’ is responsible for authenticating the user and storing appropriate “user access token” as a HTTP Cookie for domain “mydomain.com”. For example, Context path of the application is: https://mydomain.com/user/
  • Spring Boot based Application ‘B’ exposes RestFul services under the same domain “mydomain.com” that expects “User Access Token” in header as part of incoming request. For example, Context path of the application is: https://mydomain.com/userprofile/

How can i validate the OKTA issued “User Access Token” using Spring Boot for accessing RestFul services provided by Application ‘B’ ?

P.S. I am looking something similar to https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot, only that, instead of validating the client token, i want to validate the user access token

You could try the /introspect endpoint to validated the token

Thanks, i was able to get it working using /introspect endpoint couple of days back. I have another issue now.

How can i use two Resource Servers and secure endpoints. For example: I have a combination of clientIdA, secretA and resourceserverA. I want to use this combination to secure my API’s.

I have another combination of clientIdB, secretB and resourceserverB. I want to use this combination to secure my swagger and actuators etc.

Please can you suggest the resource server configuration and security configuration.

Thanks

Could you post more information about the issue? I’m not sure why the server configuration is an issue.

Hi, please see below my current configuration. I want to secure swagger using different client,secret and auth server (I don’t want to rely on scopes or role) compared to my other user facing REST API’s.

OAUTH2 Server
security.oauth2.client.clientId=xxxxxxxxxxxxx
security.oauth2.client.clientSecret=xxxxxxxxxxxxxxxxxxxxxx
security.oauth2.resource.tokenInfoUri=https://xxxxxxxxxxx/oauth2/xxxxxxxxxxxxxx/v1/introspect

@EnableResourceServer
@SpringBootApplication(exclude = { 
									DataSourceAutoConfiguration.class,
									DataSourceTransactionManagerAutoConfiguration.class,
									HibernateJpaAutoConfiguration.class, 
									JmsAutoConfiguration.class 
								}
					   )
@ComponentScan(basePackages = {"org.test.profile"})
@EnableAutoConfiguration(exclude = { 
										DataSourceAutoConfiguration.class,
										DataSourceTransactionManagerAutoConfiguration.class,
										HibernateJpaAutoConfiguration.class 
									}
						)
@EnableFeignClients
public class ProfileApplication extends SpringBootServletInitializer {

	public static void main(String[] args) {
		SpringApplication.run(ProfileApplication.class, args);
	}
	
	@Override
	protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
		return application.sources(ProfileApplication.class);
	}

	/**
     * Allows for @PreAuthorize annotation processing.
     */
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    protected static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {
      
        @Override
        protected MethodSecurityExpressionHandler createExpressionHandler() {
            return new OAuth2MethodSecurityExpressionHandler();
        }
        
    }
}




@Configuration
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(final HttpSecurity http) throws Exception {

    // csrf check disabled
    http.csrf().disable();

    // Options call is not allowed
    http.authorizeRequests()
      .antMatchers(HttpMethod.OPTIONS, "/**").denyAll()
//      .antMatchers("/v2/api-docs",
//          "/configuration/ui",
//          "/swagger-resources/**",
//          "/configuration/security",
//          "/swagger-ui.html",
//          "/webjars/**").permitAll()
      .antMatchers("/**")
        .permitAll();
  }

}


@Configuration
@EnableSwagger2
public class SwaggerConfig {
	
	
    @Bean
    public Docket api() { 
        return new Docket(DocumentationType.SWAGGER_2)  
          .select()                                  
          .apis(RequestHandlerSelectors.basePackage("org.test.profile.resource"))              
          .paths(PathSelectors.regex("/.*"))
          .build().apiInfo(apiEndPointsInfo());                                        
    }
    
    private ApiInfo apiEndPointsInfo() {
        return new ApiInfoBuilder().title("PROFILE APP REST API")
            .description("PROFILE APP REST API")
            .contact(new Contact("VM", "www.test.org", "vmuddasani@test.org"))
            .license("Apache 2.0")
            .licenseUrl("http://www.apache.org/licenses/LICENSE-2.0.html")
            .version("1.0.0")
            .build();
    }
    
    /**
     * SwaggerUI information
     */
    @Bean
    UiConfiguration uiConfig() {
        return UiConfigurationBuilder.builder()
                .deepLinking(true)
                .displayOperationId(false)
                .defaultModelsExpandDepth(1)
                .defaultModelExpandDepth(1)
                .defaultModelRendering(ModelRendering.EXAMPLE)
                .displayRequestDuration(false)
                .docExpansion(DocExpansion.NONE)
                .filter(false)
                .maxDisplayedTags(null)
                .operationsSorter(OperationsSorter.ALPHA)
                .showExtensions(false)
                .tagsSorter(TagsSorter.ALPHA)
                .supportedSubmitMethods(UiConfiguration.Constants.DEFAULT_SUBMIT_METHODS)
                .validatorUrl(null)
                .build();
    }
}

How to use /introspect without client_secret in spring boot application
Please help
Thank you