Is there a way to validate oauth token sent by approuter in plain java application ( micro service in cloud foundry ) without using spring

Question

I have an approuter written in node.js which sends a jwt token to the java application after user authentication.

I need to verify this token and scope in spring application before executing the REST API, but is there a way to do the same thing without using any spring feature?

Answer 1

One option is to use the /check_token endpoint of UAA. The nice thing about this approach is that it's pretty easy to do this without the help of external libraries since it's just a matter of sending an HTTP request. There's also no crypto (other than TLS) required, UAA handles all that for you. However, it does require client credentials so that you can identify the application checking the token with UAA and it has the overhead of sending an HTTP request.

Ex:

curl 'http://uaa.example.com/check_token' -i -u 'app:appclientsecret' -X POST \
    -d 'token=53dbe3e05dcf4ff38d350bc74a7fc97bscopes=password.write%2Cscim.userids'

Where app and appclientsecret are your app's client credentials & the scopes attribute is optional, but if you do include it, UAA will also validate that the scopes you indicate are present on the token.

More at the following links:

• https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#oauth2-token-validation-service-post-check-token
• https://docs.cloudfoundry.org/api/uaa/version/4.6.0/index.html#check-token

The other option would be to validate the token yourself. This requires a signed token and it requires you to have a shared secret between your server and in the case of Cloud Foundry, UAA.

I don't have instructions to walk you through this without Spring, but Spring Security is open source so you can take a look at their code and see how it's done.

It looks like the decodeAndVerify method of JwtHelper is a good place to start. There's also an example of how JwtHelper is used here .

Hope that helps!