Tokens, OAuth2 and JWT in a Spring API (RWS - Module 6 - Lesson 3)

4 Views

admin

03 Dec 2019

Learn how to move from a basic Spring Security OAuth2 config to use JSON Web Tokens and how to work with JWT when consuming the API.

This lesson is part of "REST With Spring" - Module 6 (Advanced API Security) - Lesson 3: http://youtube.restwithspring.com

For the entire "REST With Spring" series: https://www.youtube.com/playli....st?list=PLjXUjSTUHs0

## Lesson Notes

# Token Implementations
*SAML (or the WS* space)*
- XML based
- many encryption and signing options
- expressive but you need a pretty advanced XML stack

*Simple Web Token*
- joint venture between Microsoft, Google, Yahoo
- created as a direct reaction to making a much simpler version of SAML
- to simple, not enough cryptographic options (just symetric)

*JWT (JSON Web Tokens)*
- the idea is that you are representing the token using JSON (widely supported)
- symmetric and asymmetric signatures and encryption
- less options/flexibility than SAML but more than SWT
- JWT hit the sweet spot and became widely adopted pretty quickly
- JWT - an emerging protocol (very close to standardization)

# JWT structure
A JWT token has 2 parts:
- Header: metadata + info about algos / keys used
- Claims: Reserved Claims (issuer , audience, issued at, expiration, subject, etc) + Application specific Claims

# JWT with Spring Security OAuth
*For the Authorization Server:*
- we’re defining the JwtAccessTokenConverter bean and the JwtTokenStore
- we’re also configuring the endpoint to use the new converter
Note that we're using symmetric signing - with a shared signing key.

*For the Resource Server:*
- we should define the converter here as well, using the same signing key

Note that here, we don’t have to because we’re actually sharing the same Spring context in this case.
If the Authorization Server would have been a separate app - then we would have needed this converter, configured exactly the same as in the Resource Server.

To learn more about REST Security and how to properly implement OAUth2 and JWT within a Spring API, check out the full course:
http://youtube.restwithspring.com

Enjoy.