Closed ch4mpy closed 1 year ago
@danvega I rebased on master
after the latest merges. I also completely removed the basic authentication as /token
end-point is managed by the authorization-server.
These are some great suggestions but this code is a part of the tutorial and would confuse folks who come here expecting to see code similar to what I built. Thank you for the suggestions though.
@danvega you should clearly disclose in your tutorial that your implementation is not OAuth2 compliant, despite using JWTs, and that it has more implications than just security (which you already state).
Also warn watchers that they will have to implement a complete user-management solution by themself...
I came to your tutorial and repo helping others who were thinking they were implementing OAuth2 security in spring after watching your video...
OAuth2
Your implementation uses JWTs but it is not OAuth2 complient. I chose to switch to OIDC (which is an extension of OAuth2) with an external authorization-server instead of the JWT issued with basic authentication because:
.well-known/openid-configuration
spring-addons
I am the author of thin wrappers arround
spring-boot-starter-oauth2-resource-server
which bring auto-configuration for the features you implement plus a few others:@PreAuthorize
expressions like you do.scp
like in your tutorial), prefix and case transformationI know from your tutorial that you don't like third party libraries. Just see in this PR how much simpler security configuration is, and then browse my library source code to see by yourself how little invasive it is: just 2 files (3 if you include the auto-configuration resource) for each starter with almost only a few
@ConditionalOnMissingBean
.Keycloak
As OIDC authorization-server, I used Keycloak. Configuring and launching a Keycloak instance is actually simpler than defining a token endpoint like you did (and it is way more secured and feature-rich). Instructions from my own set of tutorials or from official documentation starting with zip file, Docker or K8s distributions.
Note that switching to any other OIDC authorization-server provider is, thanks to my starter, just a matter of editing properties file (even for SaaS like Auth0, Okta, Amazon Cognito, etc.)