Do I need resource server with Spring Security OAuth2?

Question

I am trying implement OAuth2 authentication with JWT tokens. If I understand, I need send credentials to authorization server, this verify my credentials, and return back signed JWT token. Next I tried implement WebSecurityConfig which extends WebSecurityConfigurerAdapter , and there I have to set which endpoints are secured and which aren't.

But my question is: do I need resource server? It do same job as my potential WebSecurityConfig , or not?

My goal is create simple JWT authentication for my website.

Answer 1

Yes, you will want to configure the resources protected by your JWT's by extending ResourceServerConfigurerAdapter . A basic implementation might look like this

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

}

This means you should have no need to extend WebSecurityConfigurerAdapter because the above configuration configures the same HttpSecurity object that you would be configuring in WebSecurityConfigurerAdapter . The public void configure(HttpSecurity http) works on the same thing in both classes.

The reason we want to choose ResourceServerConfigurerAdapter over WebSecurityConfigurerAdapter is because it's part of the spring-security-oauth2 module that you are using, and will be used behind the scenes by the framework.

You will of course need to make sure that you are using the same signing key for both your authorization and resource servers. If you are defining your security config beans in the same application the resource server will automatically use the same beans, if not then you will need to duplicate whatever JWT related config you have on your authorization server.

Answer 2

You need the resource server, because it is part of the OAuth2 spec :

resource server

The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

Hence it is also part of Spring Security OAuth2.

The resource server configuration is more than a security configuration, see OAuth 2 Developers Guide :

Resource Server Configuration

A Resource Server (can be the same as the Authorization Server or a separate application) serves resources that are protected by the OAuth2 token. Spring OAuth provides a Spring Security authentication filter that implements this protection. You can switch it on with @EnableResourceServer on an @Configuration class, and configure it (as necessary) using a ResourceServerConfigurer . The following features can be configured:

• tokenServices: the bean that defines the token services (instance of ResourceServerTokenServices).
• resourceId: the id for the resource (optional, but recommended and will be validated by the auth server if present).
• other extension points for the resourecs server (eg tokenExtractor for extracting the tokens from incoming requests)
• request matchers for protected resources (defaults to all)
• access rules for protected resources (defaults to plain "authenticated")
• other customizations for the protected resources permitted by the HttpSecurity configurer in Spring Security

The @EnableResourceServer annotation adds a filter of type OAuth2AuthenticationProcessingFilter automatically to the Spring Security filter chain.

You could use a Spring Security configuration ( WebSecurityConfigurerAdapter ) for other customizations for the protected resources permitted by the HttpSecurity configurer in Spring Security , but it is better to use the resource server configuration, because of:

• encapsulation (all configurations for the resource server in one class)
• configuration ordering (you don't have to change the order)
• complexity (one class instead of two classes)

and it is the recommended way.

Answer 3

I will try to answer with an example: suppose you want to write a great and cool web application that can manage GMAIL accounts as well as Google-calendar data together, somehow. Apparently, your users will have to sign in with their google's credentials, so your app can get their data and manage it. Your application manages the data of the users, without getting the users' credentials.

So far so good.

In this example, the Authorization-Server is Google Accounts. The Resource Server is Google-Main and Google-Calendar (both of them) and the Client is your application.

Hope that makes sense.