Authorization Server and OpenID Provider on Spring Framework

Overview

This is an implementation of an authorization server and an OpenID provider which supports OAuth 2.0 and OpenID Connect.

This implementation is written using Spring Framework, JAX-RS 2.0 API and authlete-java-jaxrs library. JAX-RS is The Java API for RESTful Web Services. JAX-RS 2.0 API has been standardized by JSR 339 and it is included in Java EE 7. On the other hand, authlete-java-jaxrs library is an open source library which provides utility classes for developers to implement an authorization server and a resource server. authlete-java-jaxrs in turn uses authlete-java-common library which is another open source library to communicate with Authlete Web APIs.

This implementation is DB-less. What this means is that you don't have to have a database server that stores authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications. This is achieved by using Authlete as a backend service. Read New Architecture of OAuth 2.0 and OpenID Connect Implementation for details about the architecture.

Access tokens issued by this authorization server can be used at a resource server which uses Authlete as a backend service. spring-resource-server is such a resource server implementation. It supports a userinfo endpoint defined in OpenID Connect Core 1.0 and includes an example implementation of a protected resource endpoint, too.

For Spring Users

This implementation does not use Spring Security OAuth. You can change settings of authorization servers and client applications via web consoles (Service Owner Console and Developer Console), so you don't have to do programming to configure authorization servers and register client applications.

Quick Start

$ git clone https://github.com/authlete/spring-oauth-server.git
$ cd spring-oauth-server
$ vi authlete.properties
$ mvn spring-boot:run

http://localhost:8080/api/authorization?client_id={client-id}&response_type=token
Input "john" and "john", and press "Authorize".

License

Apache License, Version 2.0

Source Code

https://github.com/authlete/spring-oauth-server

About Authlete

Authlete is a cloud service that provides an implementation of OAuth 2.0 & OpenID Connect (overview). You can easily get the functionalities of OAuth 2.0 and OpenID Connect either by using the default implementation provided by Authlete or by implementing your own authorization server using Authlete Web APIs as this implementation (spring-oauth-server) does.

To use this authorization server implementation, you need to get API credentials from Authlete and set them in authlete.properties. The steps to get API credentials are very easy. All you have to do is just to register your account (sign up). See Getting Started for details.

How To Run

1. Download the source code of this implementation.

    $ git clone https://github.com/authlete/spring-oauth-server.git
    $ cd spring-oauth-server
   

2. Edit the configuration file to set the API credentials of yours.

    $ vi authlete.properties
   

3. Make sure that you have installed maven and set JAVA_HOME properly.

4. Start the server on http://localhost:8080.

    $ mvn spring-boot:run
   

Run With Docker

If you would prefer to use Docker, just hit the following command after the step 2.

$ docker-compose up

Configuration File

spring-oauth-server refers to authlete.properties as a configuration file. If you want to use another different file, specify the name of the file by the system property authlete.configuration.file like the following.

$ mvn spring-boot:run \
  -Drun.jvmArguments="-Dauthlete.configuration.file=local.authlete.properties"

Endpoints

This implementation exposes endpoints as listed in the table below.

Endpoint	Path
Authorization Endpoint	/api/authorization
Token Endpoint	/api/token
JWK Set Endpoint	/api/jwks
Configuration Endpoint	/.well-known/openid-configuration
Revocation Endpoint	/api/revocation
Introspection Endpoint	/api/introspection

The authorization endpoint and the token endpoint accept parameters described in RFC 6749, OpenID Connect Core 1.0, OAuth 2.0 Multiple Response Type Encoding Practices, RFC 7636 (PKCE) and other specifications.

The JWK Set endpoint exposes a JSON Web Key Set document (JWK Set) so that client applications can (1) verify signatures by this OpenID Provider and (2) encrypt their requests to this OpenID Provider.

The configuration endpoint exposes the configuration information of this OpenID Provider in the JSON format defined in OpenID Connect Discovery 1.0.

The revocation endpoint is a Web API to revoke access tokens and refresh tokens. Its behavior is defined in RFC 7009.

The introspection endpoint is a Web API to get information about access tokens and refresh tokens. Its behavior is defined in RFC 7662.

Authorization Request Example

The following is an example to get an access token from the authorization endpoint using Implicit Flow. Don't forget to replace {client-id} in the URL with the real client ID of one of your client applications. As for client applications, see Getting Started and the document of Developer Console.

http://localhost:8080/api/authorization?client_id={client-id}&response_type=token

The request above will show you an authorization page. The page asks you to input login credentials and click "Authorize" button or "Deny" button. Use one of the following as login credentials.

Login ID	Password
john	john
jane	jane

Of course, these login credentials are dummy data, so you need to replace the user database implementation with your own.

Customization

How to customize this implementation is described in CUSTOMIZATION.md. Basically, you need to do programming for end-user authentication because Authlete does not manage end-user accounts. This is by design. The architecture of Authlete carefully seperates authorization from authentication so that you can add OAuth 2.0 and OpenID Connect functionalities seamlessly into even an existing web service which may already have a mechanism for end-user authentication.

Related Specifications

• RFC 6749 - The OAuth 2.0 Authorization Framework
• RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model and Security Considerations
• RFC 7009 - OAuth 2.0 Token Revocation
• RFC 7033 - WebFinger
• RFC 7515 - JSON Web Signature (JWS)
• RFC 7516 - JSON Web Encryption (JWE)
• RFC 7517 - JSON Web Key (JWK)
• RFC 7518 - JSON Web Algorithms (JWA)
• RFC 7519 - JSON Web Token (JWT)
• RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
• RFC 7662 - OAuth 2.0 Token Introspection
• OAuth 2.0 Multiple Response Type Encoding Practices
• OAuth 2.0 Form Post Response Mode
• OpenID Connect Core 1.0
• OpenID Connect Discovery 1.0
• OpenID Connect Dynamic Client Registration 1.0
• OpenID Connect Session Management 1.0

See Also

• Authlete - Authlete Home Page
• authlete-java-common - Authlete Common Library for Java
• authlete-java-jaxrs - Authlete Library for JAX-RS (Java)
• spring-resource-server - Resource Server Implementation

Contact

Purpose	Email Address
General	[email protected]
Sales	[email protected]
PR	[email protected]
Technical	[email protected]