Spring boot OAuth2
In order to secure microservices, we need to authenticate the uses that tries to access a particular service. Below components constitute this entire framework of security with OAuth2 and JWT token.
What is OAuth2?
OAuth (Open Authorization) is a simple way to publish and interact with protected services.
It is an open standard for token-based authentication and authorization over the web. Using this apporach, a user’s account information is used by third-party services, such as Facebook, Twitter without exposing the user’s password.
The OAuth specification describes five grants for acquiring an access token:
- Authorization code grant
- Implicit grant
- Resource owner credentials grant
- Client credentials grant
- Refresh token grant
What is Authorization Server?
Authorization server acts as a centralized server component that is used to authenticate users’ identity and issue access tokens upon successful authentication. In order to access any microservice, first, authorization server needs to be requested to get a JWT token. And with a valid token, the microservice can be accessed.
What is Resource Server?
Resource server accepts access token issued by the Authorization server and provides this token to the clients which want to access protected resources.
What is JWT token?
JWT Token is a JSON Web Token. It is used to represent the claims secured between two parties.
JSON Web Token (JWT token) is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.
From Wikipedia
OAuth2 flow
Understanding OAuth using an example
Let’s understand this using an example.
- Consider you are a new user to Instagram, and you want to login but don’t have an account with Instagram.
- Instagram gives you a choice to login using your facebook account, if you do not want to sign up immediately.
- If you choose to do so, you are authorizing facebook to share your public information with Instagram.
- This authorization is done using OAuth. Here only public information is shared with Instagram and no password is shared.
In the above example, let’s understand which component is what
Resource Owner : It is the user who wants to login to Instagram
Client Application : It is Instagram in this example
Resource Server : It is Instagram in this example
Authorization Server : The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application. Here facebook is authorization server.
What is refresh token?
A refresh token is issued (along with the access token) to the client by the authorization server. It is used to obtain a new access token when the current access token expires or becomes invalid.
Both refresh and access token have different responsibilities.
- Use of access token is to access a resource before the token is expired
- Use of refresh token is to obtain a new access token when the existing token is expired