Sharing Top Content from the Angular-sphere.

Spring REST API + OAuth2 + AngularJS

  • When the client application needs to acquire an Access Token, it will do so after a simple form-login driven auth process:

    A quick note here is that the form login configuration isn’t necessary for the Password flow – only for the Implicit flow – so you may be able to skip it depending on what OAuth2 flow you’re using.

  • Next, we will configure our TokenStore to access the same database that authorization server uses to store access tokens:

    Note that, for this simple implementation, we’re sharing the SQL backed token store even though the Authorization and Resource servers are separate applications.

  • Let’s start with the two simple pages – “index” and “login”; once a user provides their credentials, the front-end JS client uses them to acquire an Access Token from Authorization Server.
  • Here is our simple index page:

    As we will need to authorize our requests to the resource using our access token, we will append a simple authorization header with access token:

    If no cookie is found, the user will be redirected to login page.

  • Our client application is a separate module that tries to access resources server after obtaining an access token from authorization server using implicit grant flow.

Learn how to set up OAuth2 for a Spring REST API and how to consume that from an AngularJS client.

@baeldung: Spring REST API + OAuth2 + AngularJS: (from the archives)

1. Overview

In this tutorial, we’ll secure a REST API with OAuth and consume it from a simple AngularJS client.

The application we’re going to build out will consist of four separate modules:

2. The Authorization Server

First, let’s start setting up an Authorization Server as a simple Spring Boot application.

2.1. Maven Configuration

We’ll set up the following set of dependencies:

Note that we’re using spring-jdbc and MySQL because we’re going to use a JDBC backed implementation of the token store.

2.2. @EnableAuthorizationServer

Now, let’s start configuring the authorization server responsible for managing access tokens:

@Configuration @EnableAuthorizationServer public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired @Qualifier(“authenticationManagerBean”) private AuthenticationManager authenticationManager; @Override public void configure( AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .tokenKeyAccess(“permitAll()”) .checkTokenAccess(“isAuthenticated()”); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.jdbc(dataSource()) .withClient(“sampleClientId”) .authorizedGrantTypes(“implicit”) .scopes(“read”) .autoApprove(true) .and() .withClient(“clientIdPassword”) .secret(“secret”) .authorizedGrantTypes( “password”,”authorization_code”, “refresh_token”) .scopes(“read”); } @Override public void configure( AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints .tokenStore(tokenStore()) .authenticationManager(authenticationManager); } @Bean public TokenStore tokenStore() { return new JdbcTokenStore(dataSource()); } }

Note that:

2.3. Data Source Configuration

Next, let’s configure our data source to be used by the JdbcTokenStore:

@Value(“classpath:schema.sql”) private Resource schemaScript; @Bean public DataSourceInitializer dataSourceInitializer(DataSource dataSource) { DataSourceInitializer initializer = new DataSourceInitializer(); initializer.setDataSource(dataSource); initializer.setDatabasePopulator(databasePopulator()); return initializer; } private DatabasePopulator databasePopulator() { ResourceDatabasePopulator populator = new ResourceDatabasePopulator(); populator.addScript(schemaScript); return populator; } @Bean public DataSource dataSource() { DriverManagerDataSource dataSource = new DriverManagerDataSource(); dataSource.setDriverClassName(env.getProperty(“jdbc.driverClassName”)); dataSource.setUrl(env.getProperty(“jdbc.url”)); dataSource.setUsername(env.getProperty(“jdbc.user”)); dataSource.setPassword(env.getProperty(“jdbc.pass”)); return dataSource; }

Note that, as we are using JdbcTokenStore we need to initialize database schema, so we used DataSourceInitializer – and the following SQL schema:

drop table if exists oauth_client_details; create table oauth_client_details ( client_id VARCHAR(255) PRIMARY KEY, resource_ids VARCHAR(255), client_secret VARCHAR(255), scope VARCHAR(255), authorized_grant_types VARCHAR(255), web_server_redirect_uri VARCHAR(255), authorities VARCHAR(255), access_token_validity INTEGER, refresh_token_validity INTEGER, additional_information VARCHAR(4096), autoapprove VARCHAR(255) ); drop table if exists oauth_client_token; create table oauth_client_token ( token_id VARCHAR(255), token LONG VARBINARY, authentication_id VARCHAR(255) PRIMARY KEY, user_name VARCHAR(255), client_id VARCHAR(255) ); drop table if exists oauth_access_token; create table oauth_access_token ( token_id VARCHAR(255), token LONG VARBINARY, authentication_id VARCHAR(255) PRIMARY KEY, user_name VARCHAR(255), client_id VARCHAR(255), authentication LONG VARBINARY, refresh_token VARCHAR(255) ); drop table if exists oauth_refresh_token; create table oauth_refresh_token ( token_id VARCHAR(255), token LONG VARBINARY, authentication LONG VARBINARY ); drop table if exists oauth_code; create table oauth_code ( code VARCHAR(255), authentication LONG VARBINARY ); drop table if exists oauth_approvals; create table oauth_approvals ( userId VARCHAR(255), clientId VARCHAR(255), scope VARCHAR(255), status VARCHAR(10), expiresAt TIMESTAMP, lastModifiedAt TIMESTAMP ); drop table if exists ClientDetails; create table ClientDetails ( appId VARCHAR(255) PRIMARY KEY, resourceIds VARCHAR(255), appSecret VARCHAR(255), scope VARCHAR(255), grantTypes VARCHAR(255), redirectUrl VARCHAR(255), authorities VARCHAR(255), access_token_validity INTEGER, refresh_token_validity INTEGER, additionalInformation VARCHAR(4096), autoApproveScopes VARCHAR(255) );

Note that we don’t necessarily need the explicit DatabasePopulator bean – we could simply use a schema.sql – which Spring Boot makes use of by default.

2.4. Security Configuration

Finally, let’s secure the Authorization Server.

When the client application needs to acquire an Access Token, it will do so after a simple form-login driven auth process:

@Configuration public class ServerSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser(“john”).password(“123”).roles(“USER”); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(“/login”).permitAll() .anyRequest().authenticated() .and() .formLogin().permitAll(); } }

A quick note here is that the form login configuration isn’t necessary for the Password flow – only for the Implicit flow – so you may be able to skip it depending on what OAuth2 flow you’re using.

3. The Resource Server

Now, let’s discuss the resource server; this is essentially the REST API which we ultimately want to be able to consume.

3.1. Maven Configuration

Our Resource Server configuration is the same as the previous Authorization Server application configuration.

3.2. Token Store Configuration

Next, we will configure our TokenStore to access the same database that authorization server uses to store access tokens:

@Autowired private Environment env; @Bean public DataSource dataSource() { DriverManagerDataSource dataSource = new DriverManagerDataSource(); dataSource.setDriverClassName(env.getProperty(“jdbc.driverClassName”)); dataSource.setUrl(env.getProperty(“jdbc.url”)); dataSource.setUsername(env.getProperty(“jdbc.user”)); dataSource.setPassword(env.getProperty(“jdbc.pass”)); return dataSource; } @Bean public TokenStore tokenStore() { return new JdbcTokenStore(dataSource()); }

Note that, for this simple implementation, we’re sharing the SQL backed token store even though the Authorization and Resource servers are separate applications.

The reason, of course, is that the Resource Server needs to be able to check the validity of the access tokens issued by the Authorization Server.

3.3. Remote Token Service

Instead of using a TokenStore in our Resource Server, we can use RemoteTokeServices:

@Primary @Bean public RemoteTokenServices tokenService() { RemoteTokenServices tokenService = new RemoteTokenServices(); tokenService.setCheckTokenEndpointUrl( “http://localhost:8080/spring-security-oauth-server/oauth/check_token”); tokenService.setClientId(“fooClientIdPassword”); tokenService.setClientSecret(“secret”); return tokenService; }

Note that:

3.4. A Sample Controller

Next, let’s implement a simple controller exposing a Foo resource:

@Controller public class FooController { @PreAuthorize(“#oauth2.hasScope(‘read’)”) @RequestMapping(method = RequestMethod.GET, value = “/foos/{id}”) @ResponseBody public Foo findById(@PathVariable long id) { return new Foo(Long.parseLong(randomNumeric(2)), randomAlphabetic(4)); } }

Note how the client needs the “read” scope to access this Resource.

We also need to enable global method security and configure MethodSecurityExpressionHandler:

@Configuration @EnableResourceServer @EnableGlobalMethodSecurity(prePostEnabled = true) public class OAuth2ResourceServerConfig extends GlobalMethodSecurityConfiguration { @Override protected MethodSecurityExpressionHandler createExpressionHandler() { return new OAuth2MethodSecurityExpressionHandler(); } }

And here’s our basic Foo Resource:

public class Foo { private long id; private String name; }

3.5. Web Configuration

Finally, let’s set up a very basic web configuration for the API:

@Configuration @EnableWebMvc @ComponentScan({ “org.baeldung.web.controller” }) public class ResourceWebConfig extends WebMvcConfigurerAdapter {}

4. Front end – Password Flow

We’re now going to look at a simple front-end AngularJS implementation for the client.

We’re going to be using the OAuth2 Password flow here – which is why this is just a proof of concept, not a production ready application. You’ll notice that the client credentials are exposed to the front end – which is something we’ll address in a future article.

Let’s start with the two simple pages – “index” and “login”; once a user provides their credentials, the front-end JS client uses them to acquire an Access Token from Authorization Server.

4.1. Login Page

Here is our simple login page:

Login

Login

4.2. Obtain Access Token

Now, let’s see how to obtain our access token:

var app = angular.module(‘myApp’, [“ngResource”,”ngRoute”,”ngCookies”]); app.controller(‘mainCtrl’, function($scope, $resource, $http, $httpParamSerializer, $cookies) { $scope.data = { grant_type:”password”, username: “”, password: “”, client_id: “clientIdPassword” }; $scope.encoded = btoa(“clientIdPassword:secret”); $scope.login = function() { var req = { method: ‘POST’, url: “http://localhost:8080/spring-security-oauth-server/oauth/token”, headers: { “Authorization”: “Basic ” + $scope.encoded, “Content-type”: “application/x-www-form-urlencoded; charset=utf-8” }, data: $httpParamSerializer($scope.data) } $http(req).then(function(data){ $http.defaults.headers.common.Authorization = ‘Bearer ‘ + data.data.access_token; $cookies.put(“access_token”, data.data.access_token); window.location.href=”index”; }); } });

Note that:

The cookie storage is especially important here, because we’re only using the cookie for storage purposes and not to drive the authentication process directly. This helps protect against cross-site request forgery (CSRF) type of attacks and vulnerabilities.

4.3. The Index Page

Here is our simple index page:

Foo Details

{{foo.id}} {{foo.name}} New Foo

4.4. Authorize Client Requests

As we will need to authorize our requests to the resource using our access token, we will append a simple authorization header with access token:

var isLoginPage = window.location.href.indexOf(“login”) != -1; if(isLoginPage){ if($cookies.get(“access_token”)){ window.location.href = “index”; } } else{ if($cookies.get(“access_token”)){ $http.defaults.headers.common.Authorization = ‘Bearer ‘ + $cookies.get(“access_token”); } else{ window.location.href = “login”; } }

If no cookie is found, the user will be redirected to login page.

5. Front End – Implicit Grant

Now, let’s take a look at our client application that uses the implicit grant.

Our client application is a separate module that tries to access resources server after obtaining an access token from authorization server using implicit grant flow.

5.1. Maven Configuration

Here are pom.xml dependencies:

Note: we didn’t need OAuth dependency – as we will handle it using AngularJS directive OAuth-ng which can connect to OAuth2 server with implicit grant flow.

5.2. Web Configuration

And here is our simple web configuration:

@Configuration @EnableWebMvc public class UiWebConfig extends WebMvcConfigurerAdapter { @Bean public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() { return new PropertySourcesPlaceholderConfigurer(); } @Override public void configureDefaultServletHandling( DefaultServletHandlerConfigurer configurer) { configurer.enable(); } @Override public void addViewControllers(ViewControllerRegistry registry) { super.addViewControllers(registry); registry.addViewController(“/index”); registry.addViewController(“/oauthTemplate”); } @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler(“/resources/**”) .addResourceLocations(“/resources/”); } }

5.3. The Home Page

Next, here is our home page:

OAuth-ng directive needs:

Note how we’re using the OAuth-ng directive to obtain the Access Token.

Also, here’s the simple oauthTemplate.html:

5.4. AngularJS App

And here is our AngularJS app:

var app = angular.module(‘myApp’, [“ngResource”,”ngRoute”,”oauth”]); app.config(function($locationProvider) { $locationProvider.html5Mode({ enabled: true, requireBase: false }).hashPrefix(‘!’); }); app.controller(‘mainCtrl’, function($scope,$resource,$http) { $scope.$on(‘oauth:login’, function(event, token) { $http.defaults.headers.common.Authorization= ‘Bearer ‘ + token.access_token; }); $scope.foo = {id:0 , name:”sample foo”}; $scope.foos = $resource( “http://localhost:8080/spring-security-oauth-resource/foos/:fooId”, {fooId:’@id’}); $scope.getFoo = function(){ $scope.foo = $scope.foos.get({fooId:$scope.foo.id}); } });

Note how, after obtaining the Access Token, we’re using it via the Authorization header whenever we consume protected resources from within the Resource Server.

6. Conclusion

We learned how to authorize our application using OAuth2.

The full implementation of this tutorial can be found in the GitHub project – this is an Eclipse based project, so it should be easy to import and run as it is.

Hey Johny – so that depends on if the Resource Server is issuing refresh tokens (or not). If not – then you really don’t have any other option than go through the process again and get a new token. That’s of course going to inform your decision regarding the expiration period for these access tokens. But – if you do have refresh tokens – than you’ll use that to get a new access token. That way – access tokens can be very short-lived and it’s only the refresh token that is longer lived.

Of course that also leads into things like – how do you store the refresh token safely, etc – but that’s way beyond this introductory article. I’m considering making that – Advanced API Security – a topic for my next webinar (I’m getting a lot of questions similar to yours). But – for now – hope that helps. Cheers,

I have a question is a CSRF-protection is needed in BackEnd security when I don’t use cookie from the FrontEnd Client (just sending requests in the header)?

They take the body-json data sent back from server, they parse it to get the AccessToken and then every client has it own way to save it :

So if I have a good understanding “and I hope”, I think that communication from client to its server using headers is quite secure, but we only have to care about how to secure the storage placement of the Access-Token whether our client is a browser or mobile.

I ask you this question because I knew that before the communication from the client to the server was a cookie-based “using JSession ” and sending this cookie for every request. But when I use the OAuth password flow everything has to change, and I think that we don’t need a CSRF security but we only need to protect the token saved on the client side.

This post was very helpful to me, thank you!

Sorry for the late response – I’ve been focused on the launch during these past couple of weeks.

1. That’s an interesting idea; no – I haven’t detailed the tables in any lesson but I’m adding it on the bonus lessons list.

2. Let’s take a step back here and start with a few notes.

Second – you can of course also fully control the authorization that’s required to hit the endpoint (including allowing only admins to hit it).

Now, coming back to the scenario you’re thinking of – if an Access Token is exposed, then the attacker would be able to use it to consume the API (as long as the token is valid). So – if that happens, the problem isn’t going to be this endpoint, but the entire system.

And if they try to “guess” a token from scratch, that’s not going to be a good attack vector. For one – an attacker just generating a token and then checking if it’s valid that would simply be a brute-force attack.

And of course they’d still need to know the user credentials as well – and if they know these, they can simply generate their own tokens, they don’t need to check existing one.

Spring REST API + OAuth2 + AngularJS

Comments are closed, but trackbacks and pingbacks are open.