Spring authorization and resource on same server

Question

I am new to spring environment and i'm just learning oauth2. Is there a way to make the authorization server also a resource server? I am looking at this new project https://github.com/spring-projects/spring-authorization-server

Some steps or examples would be appreciated. The first problem i encountered when trying to implement this so was that the provider for the resource server was not up already. Thank you!

Answer 1

To make Spring Authorization Server a Resource Server, I followed these steps:

1. Have your Spring Authorization Server working following the official documentacion: https://docs.spring.io/spring-authorization-server/docs/current/reference/html/getting-started.html
2. Add .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) to your second order SecurityFilterChain so that the code looks like:

  @Bean
  @Order(2)
  public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests((authorize) ->
            authorize
                .anyRequest().authenticated()
        )
        // ADD THIS LINE HERE
        .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
        // Form login handles the redirect to the login page from the
        // authorization server filter chain
        .formLogin(Customizer.withDefaults());
    return http.build();

Answer 2

The solution proposed by Juan Cabello worked for me. Still, I wanted a more flexible configuration, so I decided to add a separate SecurityFilterChain that would be responsible solely for handling the endpoints that have to be protected by the access token. This way, we can have completely independent security configurations for the session-based and access-token-based endpoints.

I've made a sample project (GitHub link) that demonstrates this approach. The readme contains the CLI commands to authorize with the Authorization Code Flow + PKCE, and commands to trigger the protected endpoints to ensure everything works as expected.

The main steps are the following:

1. Setup the server according to the getting-started guide
2. Add a new filter chain in between the authorizationServerSecurityFilterChain and defaultSecurityFilterChain:

    // Manages authorization server endpoints such as /oauth2/**, /userinfo and others
    @Bean 
    @Order(1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
            throws Exception {
        // config from the getting-started guide
    }
    
    // Manages endpoints that start with /api/
    @Bean
    @Order(2)
    public SecurityFilterChain jwtFilterChain(HttpSecurity http)
            throws Exception {
        http.securityMatcher("/api/**")
                .authorizeHttpRequests((authorize) ->
                        authorize
                                .requestMatchers("/api/test/unprotected").permitAll()
                                .anyRequest().authenticated()
                )
                // Ignoring the session cookie
                .sessionManagement(configurer ->
                        configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .oauth2ResourceServer((resourceServer) -> resourceServer
                        .jwt(Customizer.withDefaults()));
    
        return http.build();
    }
    
    // Manages everything else including the /login endpoint
    @Bean 
    @Order(3) // changed order from 2 to 3
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
            throws Exception {
        // config from the getting-started guide
    }