OAuth 2.0 with Spring Security + WSO2 Identity Server

After some research, I figured out how to do this. The solution is divided into two main parts: WSO2 IS configuration and Resource server configuration .

The main scenario is as follows:

1- A client (for example, a mobile application) consumes a protected resource (for example, a web service) by sending a request for allocation of resources (Java web application in my case).

2- The resource server checks the "Authorization" header in the request and retrieves the access token.

3 The resource server verifies the access token by sending it to the authorization server (WSO2 IS).

4- The authorization server responds to the verification response.

5 The resource server checks the response and decides whether to grant or deny access to the requested resource.

In my demo, I used WSO2 IS 5.0.0 and Spring security 3.1.0.

1- WSO2 IS Configuration

WSO2 IS will act as an authorization server. Therefore, it must be configured to support OAuth 2.0. To do this, add and configure the following service provider as follows:

(a) Log in to the WSO2 IS management console.

(b) Add a new service provider and give it a name and description.

(c) Under Incoming Authentication Configuration → OAuth / OpenID Connect Configuration → Click Configure .

(d) Configure the OAuth 2.0 provider as shown in the following screenshot, and click Add . We will need a Password grant type that maps to the Resource type of the credential owner . This is best suited for my case (to ensure the security of web services).

(e) In the OAuth / OpenID Connect Configuration section, you will find OAuth Client Key and OAuth Client Secret . They are used along with the username, password, and realm to create access tokens.

2- Resource Server Configuration

As mentioned earlier, the Java demo web application will act as a resource server and client at the same time. To act as a resource server, Spring Security must know how to verify access tokens. Thus, the implementation of tokens should be implemented.

(a) Configure Spring as a resource server. Here is an example configuration:

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> <bean id="tokenServices" class="com.example.security.oauth2.wso2.TokenServiceWSO2" /> <bean id="authenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <security:authentication-manager alias="authenticationManager" /> <oauth2:resource-server id="resourcesServerFilter" token-services-ref="tokenServices" /> <security:http pattern="/services/**" create-session="stateless" entry-point-ref="authenticationEntryPoint" > <security:anonymous enabled="false" /> <security:custom-filter ref="resourcesServerFilter" before="PRE_AUTH_FILTER" /> <security:intercept-url pattern="/services/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> </security:http> </beans> 

A resource server is configured here that uses the TokenServiceWSO2 token services implementation. The resource server tag is actually converted to a security filter. An interception pattern is added to "/ services / **" and a resource filter is added to the chain.

(b) Implement OAuth 2.0 ResourceServerTokenServices token services. The implementation will use the access token as an input, pass it to the OAuth2TokenValidationService , open WSO2 IS, check the response and return the processed object containing the basic information about the token issuer, validity, scope, corresponding to the JWT Icon, ...

 public class TokenServiceWSO2 implements ResourceServerTokenServices { @Autowired TokenValidatorWSO2 tokenValidatorWSO2; public OAuth2Authentication loadAuthentication(String accessToken) throws AuthenticationException, InvalidTokenException { try { TokenValidationResponse validationResponse = tokenValidatorWSO2.validateAccessToken(accessToken); OAuth2Request oAuth2Request = new OAuth2Request(null, null, null, true, validationResponse.getScope(), null, null, null,null); UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(validationResponse.getAuthorizedUserIdentifier(), null, null); OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oAuth2Request, authentication); return oAuth2Authentication; } catch (ApplicationException ex) { // Handle exception } } public OAuth2AccessToken readAccessToken(String accessToken) { // TODO Add implementation } } 

The TokenValidatorWSO2 class implements the WSO2 IS OAuth2TokenValidationService web service call logic

 @Component public class TokenValidatorWSO2 implements OAuth2TokenValidator{ private static final Logger logger = Logger.getLogger(TokenValidatorWSO2.class); @Value("${server_url}") private String serverUrl; @Value("${validation_service_name}") private String validationServiceName; @Value("${comsumer_key}") private String consumerKey; @Value("${admin_username}") private String adminUsername; @Value("${admin_password}") private String adminPassword; private OAuth2TokenValidationServiceStub stub; private static final int TIMEOUT_IN_MILLIS = 15 * 60 * 1000; public TokenValidationResponse validateAccessToken(String accessToken) throws ApplicationException { logger.debug("validateAccessToken(String) - start"); if(stub == null) { initializeValidationService(); } OAuth2TokenValidationRequestDTO oauthRequest; TokenValidationResponse validationResponse; OAuth2TokenValidationRequestDTO_OAuth2AccessToken oAuth2AccessToken; try { oauthRequest = new OAuth2TokenValidationRequestDTO(); oAuth2AccessToken = new OAuth2TokenValidationRequestDTO_OAuth2AccessToken(); oAuth2AccessToken.setIdentifier(accessToken); oAuth2AccessToken.setTokenType("bearer"); oauthRequest.setAccessToken(oAuth2AccessToken); OAuth2TokenValidationResponseDTO response = stub.validate(oauthRequest); if(!response.getValid()) { throw new ApplicationException("Invalid access token"); } validationResponse = new TokenValidationResponse(); validationResponse.setAuthorizedUserIdentifier(response.getAuthorizedUser()); validationResponse.setJwtToken(response.getAuthorizationContextToken().getTokenString()); validationResponse.setScope(new LinkedHashSet<String>(Arrays.asList(response.getScope()))); validationResponse.setValid(response.getValid()); } catch(Exception ex) { logger.error("validateAccessToken() - Error when validating WSO2 token, Exception: {}", ex); } logger.debug("validateAccessToken(String) - end"); return validationResponse; } private void initializeValidationService() throws ApplicationException { try { String serviceURL = serverUrl + validationServiceName; stub = new OAuth2TokenValidationServiceStub(null, serviceURL); CarbonUtils.setBasicAccessSecurityHeaders(adminUsername, adminPassword, true, stub._getServiceClient()); ServiceClient client = stub._getServiceClient(); Options options = client.getOptions(); options.setTimeOutInMilliSeconds(TIMEOUT_IN_MILLIS); options.setProperty(HTTPConstants.SO_TIMEOUT, TIMEOUT_IN_MILLIS); options.setProperty(HTTPConstants.CONNECTION_TIMEOUT, TIMEOUT_IN_MILLIS); options.setCallTransportCleanup(true); options.setManageSession(true); } catch(AxisFault ex) { // Handle exception } } } 

The TokenValidationResponse class contains the main data returned in the token validation response.

 public class TokenValidationResponse { private String jwtToken; private boolean valid; private Set<String> scope; private String authorizedUserIdentifier; public String getJwtToken() { return jwtToken; } public void setJwtToken(String jwtToken) { this.jwtToken = jwtToken; } public boolean isValid() { return valid; } public void setValid(boolean valid) { this.valid = valid; } public Set<String> getScope() { return scope; } public void setScope(Set<String> scope) { this.scope = scope; } public String getAuthorizedUserIdentifier() { return authorizedUserIdentifier; } public void setAuthorizedUserIdentifier(String authorizedUserIdentifier) { this.authorizedUserIdentifier = authorizedUserIdentifier; } } 

3- Client Application Configuration

The final step is to configure the resources that OAuth 2.0 should protect. Basically, configure the web services that should be protected by the root URL "/ services / **". In my demo, I used a jersey.

4- Test Client Application

The final step is to use secure web services. This is done by adding the Authorization header to the request with the value " ", for example," carrier 7fbd71c5b28fdf0bdb922b07915c4d5 ".

PS The described sample is for reference only. Perhaps it lacks some implementations, exception handling, ... Please comment on further requests.