Gain insights into Oauth2 and Spring Security, learn about various grant types, and practice hands-on exercises to configure robust authentication systems effectively.

oauth.tar.gz

Oauth

If you’re curious about getting started with Oauth2 and Spring Security then you’re in the right place. This course will show you what Oauth2 is, why it’s important, and how to use it effectively. 

You’ll start with an overview of Oauth2 in general and then explore the different types of grants including password grants, authorization grants, refresh token grants, and more. All these concepts are backed by hands-on exercises, so you’ll get to practice creating cross-origin resource sharing policies, custom user-principal, and configuration of the authorization server to send login credentials via JSON. 

By the end of this course, you will have the foundations in place to add a proper authentication system to your application.

Oauth2 with Spring Security

The authorization code grant is used by confidential and public clients to exchange an authorization code for an access token.

# Step one

The client redirects the user to the authorization server appending the following parameters as a query string:

- `response type`
- `client_id`
- `redirect_uri`
- `scope`
- `state`

```
http://authserveraddress/?response_type=code&client_id=<client identifier>&redirect_uri=<the url to redirect to>&scope=<space delimited list of scopes>&state=<state parameter>
```

These parameters will be checked by the *authorization server*.

At this point, the user will be prompted to enter his login credentials.

If the user completes the login form successfully, the client will be redirected from the authorization server to the client (to the redirect URI) with the following parameters in the query string:

- `code`
- `state`

```
http://redirecturi/?code=<auth code>&state=<state param>
```

# Step two

The client sends a POST request to the authorization server with these parameters:

- `grant_type` (contains the authorization code)

- `client_id` (contains the client identifier)
- `client_secret` (contains the client secret)
- `redirect_uri` (contains the same redirect URI the user was redirect back to)
- `code` (represents the authorization code from the query string)

The authorization server answers with a JSON object that contains these properties:

- `token_type`, which is usually "Bearer"

- `expires_in` represents the amount of time after which the token will expire
- `access_token` the access token itself
- `refresh_token` is used to gain a new access token when the previous one expires

```json
{
  "token_type": "Bearer",
  "expires_in": "3600",
  "access_token": "the access token",
  "refresh_token": "the refresh token"
}
```

Learn how an authorization code grant can be used for getting an access token. 

Introduction

Theory

Practice

Quiz

Conclusion

Authorization Code