Code on GitHub: github.com/lspil/youtubechannel/tree/master/oauth2_marathon_e1 github.com/lspil/youtubechannel/tree/master/oauth2_marathon_e2 github.com/lspil/youtubechannel/tree/master/oauth2_marathon_e3 Spring Security documentation: docs.spring.io/spring-security/reference/servlet/oauth2/index.html
Thank youvery much for this wonderful session on oauth2 authorization server. I was desperately searching for this content. There is one thing that Inwould like to point out. At 3:47:57, the exception appeared because the authorization server could not find the client token settings for the client corresponding to the resource server. I just tried doing it myself and found that it will also need the authentication methods, grant types, redirect uri and scopes along with the token settings for the client corresponding to the resource server. It all boils down to some insert queries to the database 😊
@@laurspilca here introspecting is done by resource server right ? then how does resource server know client credentials , what if they both are owned by different persons than does that mean resource server also have to register it self to auth-server and provide its own credentials for introspecting ?
@@KushParsaniya Hello. Good question. The resource server needs to be registered itself as a client. This way the resource server becomes a client and has its own credentials.
Great video, is there any contract for registerClient so we can directly implement it to wrapper of client(SecuredClient) like in case of UserDetails we do ?
Thank you Laur so much for your marathon video. It is much appreciated and very useful! Would it be possible to go over the Jason Web Token/Key/Encryption/Signature in more detail in a future video (that is what is JWT, JWK, JWE, JWS and how do they interact/depend on each other and how symmetric and asymmetric keys relate to these topics etc.) and maybe a bit more focus on the resource server side with regards to this? Love your videos and thanks again!
Is it posssible to do a video about spring security and angular auth? like the one you made for react in the past. I'm asking because there is a big community working on angular and spring boot. thank you
HI Laur. Thanks for such a great video. Do you know why introspecting a non-opaque token would get the resource server to throw "OAuth2IntrospectionException: Introspection endpoint responded with 302 FOUND"?
Great session , I have question , here we are creating our own auth server , so we can have roles or authority for authorization , but what if we want to use social media login using oauth2 like Google or Twitter , so how to configure authority in that?
Hi Laur Spilca, I appreciate your video. I have implemented authentication and authorization on the same server. There is a scenario a user provides a valid username and password, they will receive the JWT back in JSON format without being redirected to the consent page. The password grant type has been deprecated, so is there any other way to achieve this? Have a nice day.
Hi. The only recommended way to work with authentication now is the authorization code grant type (preferably with PKCE). So no, I'd say there's no other way in which you can skip being redirected to a login page and be secure as well.
Hi, Laur! I've tried to run the auth server and the resource server in the same application. The reasons are financial, I want to run the application on AWS on a single elastic beanstalk. For the resource server part I've added a new security chain, so now there are 3 security chains, the two default ones from the auth server configuration and the one from the resource server. If I annotate it with order(3), after the auth ones, after entering the credentials in the login form, all the requests to the resource server are authorized without an access token. I think that happens because the formLogin() method in the second security chain adds a filter that implements a session based authentication with the user credentials entered in the login form. If I add the security chain of the resource server between the two of the auth server, the login page is not event displayed, I get a 404 not found status. I did some debugging, and I think that spring mvc tries to find a view at the /login path, which obviously is not found. The next thing I was thinking to do, was to implement myself a login view and implement the requests from that view. Is there a sample with this scenario somewhere or documentation how to do it? Thanks a lot, I appreciate your work!
One question regarding client. So, we are using a Postman as a client service. How we should implement spring app to be a client? Then the authorization code will be exchanged by it and the user will get just data from the resource-server. How the communication between those two services will work? Should we use b2b client token exchange, so the client-service will use WebClient with token generated by authorization-service, then whit that token client-service will get the data from resources and then return to end user?
Hey. Thanks for the question. There are multiple ways in which you can make a client with Spring: RestTemplate -> deprecated OpenFeign -> my favorite for non reactive WebClient -> for reactive approach HttpClient -> Starting with Spring 6.2. You can find examples with these in several videos on this channel. Also, if you explicitly want to see how to create a OAuth 2 client with Spring, there is a video for that in the Spring Security playlist.
There no specification on how to implement the user registration. That really depends on the app's business logic. You may want to have a web form for that, or simply load them in the DB via a script. All depends on what your needs are.
Hello. Thanks for the question. Yes. The token can be customized. You can find examples on how to do that in my Spring Security playlist (make sure you take the newest one).
Hi Laur, Thanks for this wonderful explanation. Could you please tell how we can get the token without using postman but directly from application. Can I try it using Web Client or Open Feign? I've Recently bought your Spring Security book and it is really very nice.
@@laurspilca Yes, I've implemented a client application which takes me to authorization server when I hit client app. After authentication auth server redirects to the given redirect uri along with auth code and state which I'm capturing in my landing API end point. Now, from here I want to get the token without using postman.
@@debarshi89 You implement a REST call to the post endpoint. Depending on the technology you use the implementation will be different, but it's still just a REST request.
@@debarshi89 Then you can inject the Authentication object. The JWT must be inside it with all its claims. However it's strange you deal with the token directly in this case. Btw, if you use Spring Boot you could benefit from the oauth2Login() DLS method. It will automatically implement the whole flow for you. But I'm not sure what you precisely try to do there.
Thanks for explaination. If I have 2 client's application. I try to get access to client1 , redirect to authorization server , get succesful authentication for client 1. And next from browser I try to get access to client2 link , and getting successful result without authentication process. My token from client1 is vallid for client2. How to avoid this behavior ?
Hello. Thanks for the question. Signing and encrypting are two different things. One who wants to verify a signature uses a public key. They don't have to decrypt anything. A signature is not an encryption but simply a token created based on some data that would not match if someone would use different input data.
Hi I have tried creating a controller to register clients dynamically through an endpoint but each time i try accessing the endpoint the Spring default login appears. So what i did was i went to the appFilterChain and enabled permitAll for my registration endpoint but still the login persists. What can i do?
Thanks for the awesome content you shared It was really helpful however after following all the steps as stated in the video I have been able to generate code from the /authorize but while using the same code and code verifier on /token endpoint it returns an error {invalid_grant_type}
Hello. It's likely you miss a parameter. Please check to be sure that all the params you use have the right values. It's enough one to be wrong to get an exception such as yours. Also, remember that an authorization code can only be used once (including unsuccessfully attempts). So you need to create a new one every time you attempt to call the /token endpoint.
I am having this same challenge even after acquiring a new authorization code from the server, I get error {invalid_grant_type} on curl and unsupported grant_type error on post man. The authorization grant type of the client in the registered client repository bean is set to authorization_code. I have also passed the client_id, redirect_uri, grant_type, code and code_verifier parameters along with the client name and secret as a basic authentication. Yet the error still persists
@@ekongrichard8423 As I mentioned earlier, this problem appears when one of the parameters is not correct. My advise is you take your configuration and the request and compare them making sure that the values are correct for all. It's enough to have a wrong letter E.g. HTTP instead of HTTPS and the request would not work.
@@laurspilca It worked as intended after downgrading my spring boot version from 3.2.1 to 3.1.0. it seems like the most recent versions of Spring Boot have different implementations from your examples in chapter 14 of Spring Security in Action (2nd edition). I don't want to believe Spring Boot version 3.2.1 may have some bugs.
Hi Thanks for the content, This is really good i tried to fetch the authcode . but when I am trying to fetch the token using postman i am getting response as { "error": "invalid_grant" } Bad Request. I have provided correct client id, secret and also code token. can u please do let me know what could be the issue
Hello. The error is usually indicating that one of the parameters you used doesn't correspond with the configured data. But it's difficult for me to figure out which exactly since they made the error very generic. It can literally be anything.
@@laurspilca in my app using password grant type . my app is migrating from spring boot 2.4 version to 3.2.1. Version now password grant type is deprecated right? Is their any replaced grant type is their ?
@@laurspilca and having one more doubt .is it possible Authorization server and resource server and client server are used in same application in spring boot 3.2.1 version?
Hey Laur, big fan here! Is there a way to make a live workshop session this weekend where you create a simple login/registration form with Spring Security? That would be nice, and I would really be interested in watching the whole thing! Greetings from Bulgaria! :)
@@laurspilca Thanks for you answer! What I mean is a web registration and a login form for a simple application, with database, users with specific roles and authorities and some endpoints accessible by authenticated users and others that only specific users with specific roles/authorities can access. Secured with JWT/ OAuth. Some basic HTML/CSS as well for the login form and maybe the functionality for the admins. That would be really really nice and helpful!!! 👌🏻 Example: User Management system
@@laurspilca I know right, but maybe some basic functionality, the service methods should not be really fully functional, maybe only the security part.
Code on GitHub:
github.com/lspil/youtubechannel/tree/master/oauth2_marathon_e1
github.com/lspil/youtubechannel/tree/master/oauth2_marathon_e2
github.com/lspil/youtubechannel/tree/master/oauth2_marathon_e3
Spring Security documentation: docs.spring.io/spring-security/reference/servlet/oauth2/index.html
thank you so much for your lessons and marathons!
Thank youvery much for this wonderful session on oauth2 authorization server. I was desperately searching for this content. There is one thing that Inwould like to point out.
At 3:47:57, the exception appeared because the authorization server could not find the client token settings for the client corresponding to the resource server.
I just tried doing it myself and found that it will also need the authentication methods, grant types, redirect uri and scopes along with the token settings for the client corresponding to the resource server.
It all boils down to some insert queries to the database 😊
Super. Thanks Devang. It's possible. I haven't had time to look again over the example but most likely it's what you say. Cheers!
Thank you very much for doing this marathon Laur, you helped me a lot
Glad to hear this :)
Great video,
do we need to provide client credentials when introspecting ?
By default yes. But you can configure to have the endpoint open.
@@laurspilca here introspecting is done by resource server right ? then how does resource server know client credentials , what if they both are owned by different persons than does that mean resource server also have to register it self to auth-server and provide its own credentials for introspecting ?
@@KushParsaniya Hello. Good question. The resource server needs to be registered itself as a client. This way the resource server becomes a client and has its own credentials.
super man!! hats off to you. This type of Marathanon was really needed for oauth2
Thank you for this knowledge, great session.
Great video,
is there any contract for registerClient so we can directly implement it to wrapper of client(SecuredClient) like in case of UserDetails we do ?
Thank you Laur so much for your marathon video. It is much appreciated and very useful!
Would it be possible to go over the Jason Web Token/Key/Encryption/Signature in more detail in a future video (that is what is JWT, JWK, JWE, JWS and how do they interact/depend on each other and how symmetric and asymmetric keys relate to these topics etc.) and maybe a bit more focus on the resource server side with regards to this?
Love your videos and thanks again!
Is it posssible to do a video about spring security and angular auth? like the one you made for react in the past.
I'm asking because there is a big community working on angular and spring boot.
thank you
Sure. But I have to find someone for the Angular part.
HI Laur. Thanks for such a great video. Do you know why introspecting a non-opaque token would get the resource server to throw "OAuth2IntrospectionException: Introspection endpoint responded with 302 FOUND"?
Hei. No, not really. You mean you get a 302 back but no content body?
Great session ,
I have question , here we are creating our own auth server , so we can have roles or authority for authorization , but what if we want to use social media login using oauth2 like Google or Twitter , so how to configure authority in that?
Hello. In that case, you will have to rely on what that social media authorization server provides you with.
sir, please make a video on Spring security 6 with Keycloak using OpenID.
Hi Laur Spilca, I appreciate your video.
I have implemented authentication and authorization on the same server. There is a scenario a user provides a valid username and password, they will receive the JWT back in JSON format without being redirected to the consent page.
The password grant type has been deprecated, so is there any other way to achieve this?
Have a nice day.
Hi. The only recommended way to work with authentication now is the authorization code grant type (preferably with PKCE). So no, I'd say there's no other way in which you can skip being redirected to a login page and be secure as well.
Hi, Laur! I've tried to run the auth server and the resource server in the same application. The reasons are financial, I want to run the application on AWS on a single elastic beanstalk. For the resource server part I've added a new security chain, so now there are 3 security chains, the two default ones from the auth server configuration and the one from the resource server. If I annotate it with order(3), after the auth ones, after entering the credentials in the login form, all the requests to the resource server are authorized without an access token. I think that happens because the formLogin() method in the second security chain adds a filter that implements a session based authentication with the user credentials entered in the login form. If I add the security chain of the resource server between the two of the auth server, the login page is not event displayed, I get a 404 not found status. I did some debugging, and I think that spring mvc tries to find a view at the /login path, which obviously is not found. The next thing I was thinking to do, was to implement myself a login view and implement the requests from that view. Is there a sample with this scenario somewhere or documentation how to do it? Thanks a lot, I appreciate your work!
Thank you
I love your videos 😊❤
Could you make a marathon project
One question regarding client. So, we are using a Postman as a client service. How we should implement spring app to be a client? Then the authorization code will be exchanged by it and the user will get just data from the resource-server. How the communication between those two services will work? Should we use b2b client token exchange, so the client-service will use WebClient with token generated by authorization-service, then whit that token client-service will get the data from resources and then return to end user?
Hey. Thanks for the question. There are multiple ways in which you can make a client with Spring:
RestTemplate -> deprecated
OpenFeign -> my favorite for non reactive
WebClient -> for reactive approach
HttpClient -> Starting with Spring 6.2.
You can find examples with these in several videos on this channel.
Also, if you explicitly want to see how to create a OAuth 2 client with Spring, there is a video for that in the Spring Security playlist.
@@laurspilca great, thank you for answer :)
love your videos, very very helpful
I have been wathicng you since year already
God bless you for such a good quality enjoyable content :)
Hello! How we should handle the user registration? Is there any special configuration for that like a default /register endpoint or something else?
There no specification on how to implement the user registration. That really depends on the app's business logic. You may want to have a web form for that, or simply load them in the DB via a script. All depends on what your needs are.
Hi
is there anyway I can modify the request body for oauth2/token ?
I want to add few more fields to it. Are there any references that I can follow ?
Hello. Thanks for the question. Yes. The token can be customized. You can find examples on how to do that in my Spring Security playlist (make sure you take the newest one).
@@laurspilca the ones with the darker background I guess 🙂
Hi Laur, Thanks for this wonderful explanation. Could you please tell how we can get the token without using postman but directly from application. Can I try it using Web Client or Open Feign? I've Recently bought your Spring Security book and it is really very nice.
Hi. You mean implementing a Spring app which acts as a client?
@@laurspilca Yes, I've implemented a client application which takes me to authorization server when I hit client app. After authentication auth server redirects to the given redirect uri along with auth code and state which I'm capturing in my landing API end point. Now, from here I want to get the token without using postman.
@@debarshi89 You implement a REST call to the post endpoint. Depending on the technology you use the implementation will be different, but it's still just a REST request.
@@laurspilca Thanks 🙂, I'm using Spring boot only..
@@debarshi89 Then you can inject the Authentication object. The JWT must be inside it with all its claims. However it's strange you deal with the token directly in this case.
Btw, if you use Spring Boot you could benefit from the oauth2Login() DLS method. It will automatically implement the whole flow for you. But I'm not sure what you precisely try to do there.
Thanks for explaination. If I have 2 client's application. I try to get access to client1 , redirect to authorization server , get succesful authentication for client 1. And next from browser I try to get access to client2 link , and getting successful result without authentication process. My token from client1 is vallid for client2. How to avoid this behavior ?
Hi. Thanks for the question. The tokens will be indeed usable for authentication. What you need to do is implementing proper authorization.
@@laurspilca per each client's application owned authorization server ? How can I do it in one authorization server ?
In case of non opaque token how will resource server will verify signatures?? Can it decrypt the signatures??
Hello. Thanks for the question. Signing and encrypting are two different things. One who wants to verify a signature uses a public key. They don't have to decrypt anything. A signature is not an encryption but simply a token created based on some data that would not match if someone would use different input data.
Hi I have tried creating a controller to register clients dynamically through an endpoint but each time i try accessing the endpoint the Spring default login appears. So what i did was i went to the appFilterChain and enabled permitAll for my registration endpoint but still the login persists. What can i do?
Hey. Difficult to answer. Most likley your configuration is not correct. But I cannot just guess what's wrong with it, sorry :(
Thanks for the awesome content you shared It was really helpful however after following all the steps as stated in the video I have been able to generate code from the /authorize but while using the same code and code verifier on /token endpoint it returns an error {invalid_grant_type}
Hello. It's likely you miss a parameter. Please check to be sure that all the params you use have the right values. It's enough one to be wrong to get an exception such as yours. Also, remember that an authorization code can only be used once (including unsuccessfully attempts). So you need to create a new one every time you attempt to call the /token endpoint.
@@laurspilca Thanks
I am having this same challenge even after acquiring a new authorization code from the server, I get error {invalid_grant_type} on curl and unsupported grant_type error on post man.
The authorization grant type of the client in the registered client repository bean is set to authorization_code. I have also passed the client_id, redirect_uri, grant_type, code and code_verifier parameters along with the client name and secret as a basic authentication. Yet the error still persists
@@ekongrichard8423 As I mentioned earlier, this problem appears when one of the parameters is not correct. My advise is you take your configuration and the request and compare them making sure that the values are correct for all. It's enough to have a wrong letter E.g. HTTP instead of HTTPS and the request would not work.
@@laurspilca It worked as intended after downgrading my spring boot version from 3.2.1 to 3.1.0.
it seems like the most recent versions of Spring Boot have different implementations from your examples in chapter 14 of Spring Security in Action (2nd edition). I don't want to believe Spring Boot version 3.2.1 may have some bugs.
Hi Thanks for the content, This is really good i tried to fetch the authcode . but when I am trying to fetch the token using postman i am getting response as {
"error": "invalid_grant"
}
Bad Request.
I have provided correct client id, secret and also code token.
can u please do let me know what could be the issue
Hello. The error is usually indicating that one of the parameters you used doesn't correspond with the configured data. But it's difficult for me to figure out which exactly since they made the error very generic. It can literally be anything.
And about client create?
Udemy course owners hate him !
🤣
Please add password grant type in this video
Hello. Password grant type is deprecated and not recommended anymore.
@@laurspilca in my app using password grant type . my app is migrating from spring boot 2.4 version to 3.2.1. Version now password grant type is deprecated right? Is their any replaced grant type is their ?
@@jyothimammula9154 Yes. Apps should use the authorization code grant type in case they need user consent and authentication.
@@laurspilca and having one more doubt .is it possible Authorization server and resource server and client server are used in same application in spring boot 3.2.1 version?
@@jyothimammula9154 Hi. Most likely it's possible, but I have never done so since it's not really something you'd do in a real world app.
Hey Laur, big fan here! Is there a way to make a live workshop session this weekend where you create a simple login/registration form with Spring Security? That would be nice, and I would really be interested in watching the whole thing! Greetings from Bulgaria! :)
Hi Nikolay. I'm pretty busy this weekend. But maybe in one of the next. You mean custom registration form? Or what exactly are you looking for?
@@laurspilca Thanks for you answer! What I mean is a web registration and a login form for a simple application, with database, users with specific roles and authorities and some endpoints accessible by authenticated users and others that only specific users with specific roles/authorities can access. Secured with JWT/ OAuth. Some basic HTML/CSS as well for the login form and maybe the functionality for the admins. That would be really really nice and helpful!!! 👌🏻
Example: User Management system
@@nikolaykutsev6467 Oh. But that would take a few days to implement :))
@@laurspilca I know right, but maybe some basic functionality, the service methods should not be really fully functional, maybe only the security part.
Any updates from this request?
Thank you