How to use Spring OAuth2 JWT Token?

Question

We want use the Spring OAuth2 JWT Token support. Our architecture is as follows: Spring just provides a REST-interface and the frontend is built with AngularJS which queries the Spring-REST-Interface. For authorization purpose our frontend-team wants to use JWT. So I have taken a look on the Spring OAuth2 JWT support and still do not really know how to talk with the frontend about JWT-Tokens. After reading a little tutorial I have implemented this:

@Autowired
@Qualifier("defaultAuthorizationServerTokenServices")
private DefaultTokenServices tokenServices;

public static void main(String[] args) {
    SpringApplication.run(Application.class, args); 
    //TODO comments
}

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    //@Autowired
    private AuthenticationManager authManager;

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        return new JwtAccessTokenConverter();
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
                   .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')"); 
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authManager).accessTokenConverter(accessTokenConverter());
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
        .withClient("my-trusted_client")
            .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
            .scopes("read", "write", "trust")
            .accessTokenValiditySeconds(60)
        .and()
        .withClient("my-client-with-registered-redirect")
            .authorizedGrantTypes("authorization_code")
            .authorities("ROLE_CLIENT")
            .scopes("read", "trust")
            .redirectUris("http://anywhere?key=value")
        .and()
        .withClient("my-client-with-secret")
            .authorizedGrantTypes("client_credentials", "password")
            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
            .scopes("read", "write")
            .secret("secret");
    }
}

I'm not sure how the workflow is. What I guess: The frontend access the /oauth/authorization endpoint to authorize its token and then the Spring backend has to check every time a resource is requested the JWT-Token if it's authorized to access the resource? Right? So how can I tell Spring to check the token when a REST-endpoint is requested? I have tried it with

@RequestMapping("/projects")
@PreAuthorize("oauthClientHasRole('ROLE_CLIENT')")
public String getProjects() {
    return "";
}

But it seems not to work.

Answer 1

You can take a look at the new spring-cloud-samples 's sso sample. To me this was the best sample to play with to understand how it is done.

Also once you get your head around it, you can read this tutoiral, which is bit more technical & more about how to do it with RSA assymetric keypairs.