OAuth2.0 and Dynamic Client Registration (using the Spring Security OAuth legacy stack) – OAuth2.0和动态客户端注册(使用Spring Security OAuth遗留栈)

最后修改: 2016年 12月 21日


1. Introduction


In this tutorial, we are going to prepare a dynamic client registration with the OAuth2.0. The OAuth2.0 is an authorization framework that enables obtaining limited access to user accounts on an HTTP service. The OAuth2.0 client is the application that wants to access the user’s account. This client can be an external web application, an user agent or just a native client.


In order to achieve dynamic client registration, we’re going to store the credentials in database, instead of hardcoded configuration. The application we’re going to extend was initially described in Spring REST API + OAuth2 tutorial.

为了实现动态客户端注册,我们要将凭证存储在数据库中,而不是硬编码配置。我们要扩展的应用程序最初是在Spring REST API + OAuth2教程中描述的。

Note: this article is using the Spring OAuth legacy project.

注意:本文使用的是Spring OAuth遗留项目

2. Maven Dependencies


We’ll first set up the following set of dependencies:



Note that we’re using spring-jdbc because we’re going to use a DB to store the newly registered users with passwords.


3. OAuth2.0 Server Configuration


First, we need to configure our OAuth2.0 authorization server. The main configuration is inside the following class:


@PropertySource({ "classpath:persistence.properties" })
public class OAuth2AuthorizationServerConfig
  extends AuthorizationServerConfigurerAdapter {
    // config

There are a few major things we need to configure; let’s start with ClientDetailsServiceConfigurer:


public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
    // ...		

This will make sure we’re using persistence to get the client information from.


Let’s of course set up this standard data source:


public DataSource dataSource() {
    DriverManagerDataSource dataSource = new DriverManagerDataSource();

    return dataSource;

And so, now, our application will use the database as a source of registered clients, instead of the typical hard-coded in memory clients.


4. The DB Scheme


Let’s now define the SQL structure for storing our OAuth clients:


create table oauth_client_details (
    client_id VARCHAR(256) PRIMARY KEY,
    resource_ids VARCHAR(256),
    client_secret VARCHAR(256),
    scope VARCHAR(256),
    authorized_grant_types VARCHAR(256),
    web_server_redirect_uri VARCHAR(256),
    authorities VARCHAR(256),
    access_token_validity INTEGER,
    refresh_token_validity INTEGER,
    additional_information VARCHAR(4096),
    autoapprove VARCHAR(256)

The most important fields from the oauth_client_details we should focus on are:


  • client_id – to store the id of newly registered clients
  • client_secret – to store the password of clients
  • access_token_validity – which indicates if client is still valid
  • authorities – to indicate what roles are permitted with particular client
  • scope – allowed actions, for example writing statuses on Facebook etc.
  • authorized_grant_types, which provides information how users can login to the particular client (in our example case it’s a form login with password)

Please note, that each client has one to many relationship with users, which naturally means that multiple users can utilize a single client.


5. Let’s Persist Some Clients


With SQL schema define, we can finally create some data in the system – and basically define a client.


We’re going to use the following data.sql script – which Spring Boot will run by default – to initialize the DB:

我们将使用以下data.sql脚本–Spring Boot将默认运行该脚本–来初始化数据库。

INSERT INTO oauth_client_details
	(client_id, client_secret, scope, authorized_grant_types,
	web_server_redirect_uri, authorities, access_token_validity,
	refresh_token_validity, additional_information, autoapprove)
	("fooClientIdPassword", "secret", "foo,read,write,
	"password,authorization_code,refresh_token", null, null, 36000, 36000, null, true);

The description of the most important fields in oauth_client_details is provided in previous section.


6. Testing


In order to test the dynamic client registration, we need to run both spring-security-oauth-server and spring-security-oauth-resource projects, on the 8081 and 8082 ports, respectively.


Now, we can finally write a few live tests.


Let’s assume, that we registered client with id named fooClientIdPassword, that has an access to read foos.


First, we’ll try to obtain an Access Token from the Auth Server, using an already defined client:


public void givenDBUser_whenRevokeToken_thenAuthorized() {
    String accessToken = obtainAccessToken("fooClientIdPassword", "john", "123");

And here’s the logic of obtaining the Access Token:


private String obtainAccessToken(String clientId, String username, String password) {
    Map<String, String> params = new HashMap<String, String>();
    params.put("grant_type", "password");
    params.put("client_id", clientId);
    params.put("username", username);
    params.put("password", password);
    Response response = RestAssured.given().auth().preemptive()
      .basic(clientId, "secret").and().with().params(params).when()
    return response.jsonPath().getString("access_token");

7. Conclusion


In this tutorial, we learned how to dynamically register unlimited number of clients with OAuth2.0 framework.


The full implementation of this tutorial can be found over on GitHub – this is a Maven-based project, so it should be easy to import and run as it is.

本教程的完整实现可以在GitHub上找到over on GitHub – 这是一个基于Maven的项目,所以应该很容易导入并按原样运行。

Please note, that in order to test, you’ll need to add clients into DB, and that the .inMemory() config will be no longer valid. If you want to use the old .inMemory() config, there is a second file containing configuration with hardcoded clients.