Use spring-addons to make things simpler

[ch4mpy]

OAuth2

Your implementation uses JWTs but it is not OAuth2 complient. I chose to switch to OIDC (which is an extension of OAuth2) with an external authorization-server instead of the JWT issued with basic authentication because:

• this is much simpler: just have a look at how much code I removed and your code is missing users registraion and login forms, actual database implementation, users administration UI (roles management, data edition, etc.), ...
• this is way more secured: basic authentication is very weak compared to authorization-code with PKCE (but you are already aware of that: you wrote about it in your tutorial)
• user experience is much better: OAuth2 includes refresh-token flow to avoid users having to enter their login and password to get a new JWT each time it expires (and access-tokens should be very short lived).
• client developper experience is better too: OIDC is an extensively used standard and there are many client libraries out there which will:
  • handle redirection to and from authorization-server
  • exchange of authorization-code for tokens
  • authorize requests (add Authorization header with access-token to requests sent to secured resources)
  • fetch OAuth2 configuration from just .well-known/openid-configuration
• most OIDC servers come with a lot of useful advanced features you will just have to configure instead of having to develop, test and maintain (which is way more effort than one can imagine and also very hard to avoid dangerous security breaches): users administration UI including roles management, social login, multi-factor authentication, connection to LDAP, etc.

spring-addons

I am the author of thin wrappers arround spring-boot-starter-oauth2-resource-server which bring auto-configuration for the features you implement plus a few others:

• sessions disabled by default
• CSRF protection disabled if sessions are left disabled
• definition of "public" routes (those accessible to anonymous) from properties, other routes being restricted to authenticated users (fine grained access control being achieved with @PreAuthorize expressions like you do.
• fine grained CORS configuration from properties
• authorities mapping from properties with configurable source claims (not only scp like in your tutorial), prefix and case transformation
• 401 instead of 302 if authorization is missing or invalid (expired, wrong issuer, ...)

I know from your tutorial that you don't like third party libraries. Just see in this PR how much simpler security configuration is, and then browse my library source code to see by yourself how little invasive it is: just 2 files (3 if you include the auto-configuration resource) for each starter with almost only a few @ConditionalOnMissingBean.

Keycloak

As OIDC authorization-server, I used Keycloak. Configuring and launching a Keycloak instance is actually simpler than defining a token endpoint like you did (and it is way more secured and feature-rich). Instructions from my own set of tutorials or from official documentation starting with zip file, Docker or K8s distributions.

Note that switching to any other OIDC authorization-server provider is, thanks to my starter, just a matter of editing properties file (even for SaaS like Auth0, Okta, Amazon Cognito, etc.)

[ch4mpy]

@danvega I rebased on master after the latest merges. I also completely removed the basic authentication as /token end-point is managed by the authorization-server.

[danvega]

These are some great suggestions but this code is a part of the tutorial and would confuse folks who come here expecting to see code similar to what I built. Thank you for the suggestions though.

[ch4mpy]

@danvega you should clearly disclose in your tutorial that your implementation is not OAuth2 compliant, despite using JWTs, and that it has more implications than just security (which you already state).

Also warn watchers that they will have to implement a complete user-management solution by themself...

I came to your tutorial and repo helping others who were thinking they were implementing OAuth2 security in spring after watching your video...