18 Hands-on: An OAuth 2 application

In chapters 12 through 15, we discussed in detail how an OAuth 2 system works and how you implement one with Spring Security. We then changed the subject and in chapters 16 and 17, you learned how to apply authorization rules at any layer of your application using global method security. In this chapter, we’ll combine these two essential subjects and apply global method security within an OAuth 2 resource server.

Besides defining authorization rules at different layers of our resource server implementation, you’ll also learn how to use a tool named Keycloak as the authorization server for your system. The example we’ll work on this chapter is helpful for the following reasons:

18.1 The application scenario

18.2 Configuring Keycloak as an authorization server

18.2.1 Registering a client for our system

18.2.2 Specifying client scopes

18.2.3 Adding users and obtaining access tokens

18.2.4 Defining the user roles

18.3 Implementing the resource server

18.4 Testing the application

18.4.1 Proving an authenticated user can only add a record for themself

18.4.2 Proving that a user can only retrieve their own records

18.4.3 Proving that only admins can delete records

Summary