Provide Resource Server example application implementing RemoteTokenServices

[galves]

Having just fudged a solution using org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices, I think it would be of great benefit to the community to have a working sample resource server to compliment Tonr.

[dsyer]

Tonr is not a resource server, but I think I know what you mean (something like https://github.com/spring-projects/spring-security-oauth/tree/master/tests/annotation/resource but with a remote token service instead of JWT)?

[dsyer]

Why did you use the cloud foundry implementation (what's wrong with the native one)?

[theonlyguills]

May I suggest you look at http://spring-cloud-microservices.github.io/ ? This is our reference implementation for a microservice architecture, including central auditing, resource servers, oauth, and all the spring cloud config, discovery, hystrix stuff.

If you're just looking for a resource server example, both audit-service and pony-service expose their database as a resource server using spring-data-rest and use remote token services.

@dsyer , do you think it would add value to list it as a sample microservice ecosystem for the community to look at / contribute? I think it gives a good high-level view of a working system.

We're planning on going into production with this architecture soon.

[galves]

Thanks for the response.

Yes I understand that Tonr is a client, which is why the Resource Server would be a third example app complementing it and Sparklr

I did have a look a the provided RemoteTokenServices but it wasn't particularly clear where to start. It was only after looking at the cloudfoundry code that I knew to enable the /check_token endpoint on the provider and so on.

The cloudfoundry version also set the user roles correctly in the resource server using grants obtained from sparklr. Even the @PreAuthorize hasRole() annotations worked more or less out of the box.

Reading the documentation now, it is a lot clearer to me how the remote tokens work (and also that I should probably be using JWT!), however this is only thanks to a retrospective high level overview from a working system.

Linking to http://spring-cloud-microservices.github.io/ is a good idea but it might be helpful to have a more minimal example using JWT/Remote Tokens.

[dsyer]

@theonlyguills that's more of a relevant topic for Spring Cloud (there's a gitter room for that if you want to chat (e.g. to ask about possible trademark infringement :-)).