To use the access token you need a Resource Server (which can be the same as the
Authorization Server). Creating a Resource Server is easy, just add
@EnableResourceServer
and provide some configuration to allow the server to decode
access tokens. If your application is also an Authorization Server it already knows how
to decode tokens, so there is nothing else to do. If your app is a standalone service then
you need to give it some more configuration, one of the following options:
security.oauth2.resource.user-info-uri
to use the /me
resource (e.g.
https://uaa.run.pivotal.io/userinfo
on Pivotal Web Services (PWS))
security.oauth2.resource.token-info-uri
to use the token decoding endpoint (e.g.
https://uaa.run.pivotal.io/check_token
on PWS).
If you specify both the user-info-uri
and the token-info-uri
then you can set a flag
to say that one is preferred over the other (prefer-token-info=true
is the default).
Alternatively (instead of user-info-uri
or token-info-uri
) if the tokens are JWTs you
can configure a security.oauth2.resource.jwt.key-value
to decode them locally (where the
key is a verification key). The verification key value is either a symmetric secret or
PEM-encoded RSA public key. If you don’t have the key and it’s public you can provide a
URI where it can be downloaded (as a JSON object with a “value” field) with
security.oauth2.resource.jwt.key-uri
. E.g. on PWS:
$ curl https://uaa.run.pivotal.io/token_key {"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"}
Additionally, if your authorization server has an endpoint that returns a set of JSON Web
Keys(JWKs), you can configure security.oauth2.resource.jwk.key-set-uri
. E.g. on PWS:
$ curl https://uaa.run.pivotal.io/token_keys {"keys":[{"kid":"key-1","alg":"RS256","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"]}
Note | |
---|---|
Configuring both JWT and JWK properties will cause an error. Only one of
|
Warning | |
---|---|
If you use the |
OAuth2 resources are protected by a filter chain with order
security.oauth2.resource.filter-order
and the default is after the filter protecting the
actuator endpoints by default (so actuator endpoints will stay on HTTP Basic unless you
change the order).