Securing Server-to-Server Communication with "Spring Boot" & "OAuth 2"

  • 4.6/5
  • 6237
  • Jul 20, 2024

In this article we will see how to Secure a Server-to-Server Communication with Spring Boot & OAuth 2's "client_credentials" grant_type.

In a "client_credentials" grant_type there is no need for a "user" interaction and no browser is involved; it makes it a perfect fit to secure Server-to-Server Communication.

We will first create a "resource-server" containing secured REST endpoints for "Products", next we will create an "authorization-server" using spring-authorization-server, lastly we will create a "client-server" to access "Products" REST APIs with the help of "authorization-server".

Let's get started !!!

1) Authorization Server

The primary goal of an "Authorization Server" is to issue "OAuth 2.0 tokens" requested by the client and verify those tokens on request of the "Resource Server". It also provides mechanism for "Client" & "User" registration and "Role" & "Authority" management.

1.1) Dependencies

Lets create a project with Spring Initializr, make sure to add required dependencies as shown in the picture below:

Dependencies

Also add "spring-security-oauth2-authorization-server" dependency to the project; the final "pom.xml" should look something like this:

1.2) Configuration

In the configuration below, we are adding an in-memory client, providing a bean to generate a 2048-byte RSA key and configuring a unique issuer URL as required by an authorization server.

Next, we can also configure "@EnableWebSecurity" to manage the security of this "Authorization Server" server itself, lets keep this blank, for now,

1.3) Host Entry

To make the "ProviderSettings" bean work, we need to add the below entry in the server's hostfile (/etc/hosts).

127.0.0.1 auth-server

1.4) Properties file

Let's add "logging" related properties and "server port" to "application.yml".

2) Resource Server

A resource server is the one hosting REST APIs; these secured APIs will be accessed by the client with the help of an "OAuth 2.0 token" obtained from the "Authorization Server".

2.1) Dependencies

Lets create a project with Spring Initializr, make sure to add required dependencies as shown in the picture below:

Dependencies

The final "pom.xml" should look something like this:

2.2) Model

We will create a simple REST endpoint to return a list of "Product", here is the model to represent it:

2.3) Controller

This is the place to define the rest end-point for getting Employee's list:

2.4) Configuration

In the configuration below, we are securing "/products/**" endpoint with "HttpSecurity", this can only be accessed by clients having "products.read" authority.

2.5) Properties file

Let's add "logging" related properties, "server port" and "issuer-uri" to "application.yml".

3) Client Server

This is another server; it will act as a client for "Resource Server" and will access "Product" APIs with the help of an "OAuth 2.0 token" obtained from "Authorization Server."

3.1) Dependencies

Lets create a project with Spring Initializr, make sure to add required dependencies as shown in the picture below:

Dependencies

The final "pom.xml" should look something like this:

3.2) Model

We will retrieve a list of "Product" from "Resource Server", here is the model to de-serialize it:

3.3) Configuration

In the configuration below, we are configuring a "WebClient" to send requests to "Resource Server" and a ClientProvider to authorize client-credentials with "Authorization Server".

Next, we can also configure "@EnableWebSecurity" to manage the security of this "Client Server" itself, let's use "HttpSecurity" to secure all the URLs except "/products-view/**".

3.4) Controller

We have configured a "@GetMapping" for "/products-view", we will use this to retrieve the list of "Product" from "Resource Server" and show the same as a JSON in the browser.

3.5) Properties file

Let's add "client" credentials, "debug" related properties, "server port" and "issuer-uri" to "application.yml".

These client credentials will be used to get a "OAuth 2.0 tokens" from "Authorization Server".

4) Testing

We can now test our Server-to-Server Communication flow, lets run "authorization-server", "resource-server" and "client-server" in order and navigate to http://localhost:8080/products-view.

Source Code

Index
How to Implement PostgreSQL Full-Text Search with Spring Boot

15 min

Spring's transaction management with the @Transactional annotation

9 min

Spring Boot Rest APIs with PostgreSQL (Spring Boot + Rest APIs)

15 min

Caching in Spring Boot (@Cacheable, @CacheEvict & @CachePut)

21 min

Declarative REST Client in Spring Boot (Spring 6 HTTP Interface)

13 min

Circuit Breaker in Spring Boot (Spring Cloud Circuit Breaker + Resilience4j)

12 min

Handling Concurrent Service Calls in a Spring Boot Application: Asynchronous vs. Reactive Approaches

11 min

Profiling a Spring Boot application with Pyroscope

7 min

Service discovery in Spring Boot (Spring Cloud + Netflix Eureka)

9 min

Dockerize Spring Boot app and Push image to DockerHub (Spring Boot + DockerHub)

4 min

Creating a Jenkins Pipeline for Spring Boot application

2 min

Monitoring Microservices (Spring Boot + Micrometer + Prometheus + Grafana)

7 min

Edge Server Pattern in Microservices (Spring Cloud Gateway)

7 min

Circuit Breaker Pattern in Microservices (Spring BOOT + Resilience4j)

4 min

Spring Cloud config server setup with Git

8 min

Distributed Tracing in Microservices (Spring Cloud Sleuth + Zipkin)

9 min

Circuit Breaker Pattern with Resilience4J in a Spring Boot Application

24 min

Deploying Spring Boot microservices on Kubernetes Cluster

12 min

Reactive programming in Java with Project Reactor

50 min

Spring Reactive with PostgreSQL (Spring Boot WebFlux + PostgreSQL)

13 min

Spring Reactive, Thymeleaf Hello World (Spring Webflux + Thymeleaf + JS/CSS)

9 min

Problem JSON (application/problem+json) in Spring WebFlux

15 min

Spring Boot Login/Logout (Spring Security + MySql + Thymeleaf)

21 min

Securing Server-to-Server Communication with "Spring Boot" & "OAuth 2"

18 min

Integrating Elasticsearch with a Spring Boot and PostgreSQL application

16 min

Sending Emails in Spring Boot via SMTP

7 min

How to create a basic Spring 6 project using Maven

5 min

Spring Boot, Thymeleaf Hello World (Spring Boot + Thymeleaf + JS/CSS)

9 min

Topics