Gain insights into Oauth2 and Spring Security, learn about various grant types, and practice hands-on exercises to configure robust authentication systems effectively.

oauth.tar.gz

Oauth

If you’re curious about getting started with Oauth2 and Spring Security then you’re in the right place. This course will show you what Oauth2 is, why it’s important, and how to use it effectively. 

You’ll start with an overview of Oauth2 in general and then explore the different types of grants including password grants, authorization grants, refresh token grants, and more. All these concepts are backed by hands-on exercises, so you’ll get to practice creating cross-origin resource sharing policies, custom user-principal, and configuration of the authorization server to send login credentials via JSON. 

By the end of this course, you will have the foundations in place to add a proper authentication system to your application.

Oauth2 with Spring Security

A refresh token is similar to the access token. It’s issued to the client by the authorization server, and it’s of no importance to the client what the contents of the token are. The difference is that the refresh token is not issued to be sent to the resource server. Instead, it’s used to request a new access token without the user being redirected.

## Request

- The client sends a POST request with the following body parameters to the authorization server:
  - `grant_type` contains the value *refresh_token*

  - `refresh_token` contains the refresh token itself
  - `client_id` contains the ID of the client
  - `client_secret` contains the client secret
  - `scope` a space-delimited list of requested scope permissions (optional)

If no scope is provided, the default is used.

## Response

The authorization server will respond with a JSON object that looks like this:

```json
{
  "token_type": "Bearer",
  "expires_in": "<the time after the token is expired>",
  "access_token": "<the access token itself>",
  "refresh_token": "<the refresh token>"
}
```



A refresh token is similar to the access token. It’s issued to the client by the authorization server, and it’s of no importance to the client what the contents of the token are. The difference is that the refresh token is not issued to be sent to the resource server. Instead, it’s used to request a new access token without the user being redirected.

# Request

- The client sends a POST request with the following body parameters to the authorization server:
  - `grant_type` contains the value *refresh_token*

  - `refresh_token` contains the refresh token itself
  - `client_id` contains the ID of the client
  - `client_secret` contains the client secret
  - `scope` a space-delimited list of requested scope permissions (optional)

If no scope is provided, the default is used.

# Response

The authorization server will respond with a JSON object that looks like this:

```json
{
  "token_type": "Bearer",
  "expires_in": "<the time after the token is expired>",
  "access_token": "<the access token itself>",
  "refresh_token": "<the refresh token>"
}
```



Get familiar with the use of refresh token grant and the State parameter in this lesson. 

Introduction

Theory

Practice

Quiz

Conclusion

Refresh Token Grant