Integrating OAuth2 Authorization Server with Username/Password Authentication and JWT Token in Spring Boot

Programming & Development / April 19, 2025

Integrating OAuth2 Authorization Server with Username/Password Authentication and JWT Token in Spring Boot

OAuth2 Spring Boot JWT authorization server username/password authentication token validation Spring Security

Step 1: Add Dependencies

Add the necessary dependencies in your pom.xml for Maven or build.gradle for Gradle to enable OAuth2 authorization and JWT token functionality.

Maven:

xml

<dependencies>
    <!-- Spring Boot OAuth2 Authorization Server -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-authorization-server</artifactId>
    </dependency>

    <!-- Spring Boot Security -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

    <!-- Spring Boot Web -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <!-- Spring Boot JWT -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-jwt</artifactId>
    </dependency>
</dependencies>

Gradle:

groovy

implementation 'org.springframework.boot:spring-boot-starter-oauth2-authorization-server'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-jwt'

Step 2: Configure the OAuth2 Authorization Server

Create a configuration class to set up the OAuth2 Authorization Server. This includes defining user credentials, token settings, and authorization server configuration.

java

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;

import java.time.Duration;

@Configuration
public class AuthorizationServerConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        return http.formLogin().and().build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        return new InMemoryUserDetailsManager(
                User.withUsername("user")
                        .password(passwordEncoder().encode("password"))
                        .roles("USER")
                        .build()
        );
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder().build();
    }

    @Bean
    public TokenSettings tokenSettings() {
        return TokenSettings.builder()
                .accessTokenTimeToLive(Duration.ofMinutes(30))
                .build();
    }
}

Explanation:

Security Filter Chain:
Configures default security settings with form-based login.
User Details Service:
Defines an in-memory user with username user and password password. Password is encrypted using BCryptPasswordEncoder.
Token Settings:
Configures the lifetime of access tokens (30 minutes in this example).

Step 3: Expose the OAuth2 Endpoints

To expose the necessary OAuth2 endpoints (/oauth2/authorize, /oauth2/token, etc.), the framework automatically provides the routes if you have the correct dependencies and configuration. The configuration above ensures these endpoints are available by default.

Step 4: Configure the Resource Server to Validate JWT Tokens

In case your application consists of multiple microservices, you might need a separate resource server to validate JWT tokens.

java

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class ResourceServerConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().authenticated()
            .oauth2ResourceServer()
                .jwt()
            .and()
            .authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
            .accessDeniedHandler(new BearerTokenAccessDeniedHandler());
        return http.build();
    }
}

Explanation:

JWT Resource Server Configuration:
Configures the resource server to validate JWT tokens, ensuring that only authenticated requests can access the endpoints.
Bearer Token Authentication:
Sets up the authentication entry point for bearer tokens (JWT) and handles access denial.

Step 5: Configure JWT Handling

JWT handling needs to be set up for both issuing and validating tokens. You may need to configure custom claims or token signing algorithms. Typically, this involves:

Signing the JWT token with a secret or asymmetric key.
Optionally, configuring custom claims (e.g., roles, user-specific information).
Setting expiration times and other token attributes.

Step 6: Testing the OAuth2 Flow

Once your OAuth2 authorization server is set up, you can test the OAuth2 flow using tools like Postman:

Obtain a JWT Token: Hit the /oauth2/token endpoint with appropriate client credentials (username/password) to receive a JWT token.
Use the JWT Token: Use the obtained JWT token to authenticate requests to secured resources.

Step 7: Security Considerations

Password Encoding:
Always use a strong password encoder such as BCryptPasswordEncoder for user passwords.
Refresh Tokens:
You may want to implement support for refresh tokens to allow users to obtain new access tokens after expiration.
JWT Security:
Ensure that the JWT token is signed using a strong secret or asymmetric keys (RS256 or ES256) to protect its integrity.
Access Token Expiry:
Use appropriate expiry times for your tokens to balance security and user convenience.

Conclusion

By following these steps, you can successfully integrate an OAuth2 authorization server in your Spring Boot application using username/password authentication and JWT tokens for secure authentication and authorization. This setup is flexible and can be easily extended to support more advanced security features such as refresh tokens, additional user roles, and permissions.

Share this article:

Comments

No comments yet

NUHMAN.com