This chapter covers
- Implementing a Spring Security OAuth 2 authorization server
- Using the authorization code and client credentials grant types
- Configuring opaque and non-opaque access tokens
- Using token revocation and introspection
Chapter 13 covered OAuth 2 and OpenID Connect. We discussed the actors that play a role in a system where the authentication and authorization are based on the OAuth 2 specification. The authorization server was one of these actors. Its role is to authenticate a user and the app they use (the client), as well as issue tokens that serve as proof of authentication to access resources protected by a backend. Sometimes, the client does that on behalf of a user.
The Spring ecosystem offers a fully customizable way to implement an OAuth 2/OpenID Connect authorization server. The Spring Security authorization server is the de facto way to implement an authorization server using Spring today. In this chapter, we’ll review the main capabilities offered by this framework and implement a custom authorization server. Figure 14.1 is here to remind you about the OAuth 2 actors and the authorization server role discussed in chapter 13.
Figure 14.1 Actors in the OAuth 2 scene. The authorization server protects the user and client details and issues tokens the client can use to get authorized when calling the resource server endpoints.
