Escolar Documentos
Profissional Documentos
Cultura Documentos
The client credentials flow is recommended for using when machine to machine authentication
is required. The application needs to store the clientID, secret and pass those to Okta in
exchange for an access token. In client credentials flow, the application passes its client
credentials to Okta authorization server. And then, If the credentials are correct, Okta server
respond an access token.
Set up your authorization server
Okta can be used as an Authorization server for implementing client credentials flow. To create
a Okta account, you can sign up to Okta using this link developer.okta.com
Keep a note on the okta URL which is shown after signed up to okta.
Then, you will receive an email from Okta with a temporary password.
Click on the Sign In button and sign in with the username and temporary password. After that,
enter the new password and other information and click on Create My Account
Click on the application tab the okta dashboard and click Add Application button to add a new
application.
Select on Service machine to machine button and click Next
Give a name to the service and then you will see the application details.
You will need these Client Credential details in the next steps.
And you need to create a custom scope since Client Credential never has a user context
That’s why you must create a custom scope.
Click on the Scope tab and click on Add Scope button to add a scope. Give a name and
description for the scope and click Create button.
Now you can check the authorization server /token endpoint using postman by sending a
request with Basic Auth.
curl --request POST \
--url https://dev-945334.oktapreview.com/oauth2/default/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic MG9hY...' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data
'grant_type=client_credentials&redirect_uri=http%3A%2F%2Flocalhost%3A8080&
scope=customScope'
When you send the request to the Authorization Server, it will respond the following access
token if the credentials are accurate.
{
"access_token":
"eyJraWQiOiJQaXFRUlktMnROdzVfSUVyNWkwVGlmVjJ4X19jMXNUd2JqbEpDVUdhdG84Iiwi
YWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULi1vSjZ1M2FzSEotcXdXUENFUC1NbUcxcjdl
bFNTYU5IRkxrSHJoeHN2ZU0iLCJpc3MiOiJodHRwczovL2Rldi05NDUzMzQub2t0YXByZXZpZX
cuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTUzMDI0O
DY4NSwiZXhwIjoxNTMwMjUyMjg1LCJjaWQiOiIwb2FmbTdsOWowSUVkTmx3aTBoNyIsInNjcC
I6WyJjdXN0b21TY29wZSJdLCJzdWIiOiIwb2FmbTdsOWowSUVkTmx3aTBoNyJ9.Fb_PkFNHm
tn1Iwz9vIe8u2ngBw1qzkwqaiuOI0oJOmztjPxl9u5niqc2cgthU7bB5SUBVVqYpodRoDaIOMrjBwI
aPNCnOKuFiRoJtQ2C1tDTwUT9ENSgbUQwBFs3fznr8s75W5MCdmIn21mlM9nsKnKbAGXfhY
cMBjFWu8v9d-ZE38TkYMh1opjp0AvpNaBgU5qiRd335CrDm3Rv4Yx5CmX5J4cO97Dc68FDK-
sFFaIRuNjgUxNjyS5fSx5lNxm9NCPloTXySDhpZeRvqMPMYPGpStEi0rCGpC-
zrvbYy7DJOuMA5_Nf-yHMxUaDUYZrjdMZArhm3qN9J9b97LYAaA",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "customScope"
}
To implement sample client credential application, I will create a Spring Boot server application
and Client application.
The server application which is a resource server (API Service) is a simple and consist of a
single /mod end point.
Create Resource server app
Create Spring Boot project with security and web as dependencies and then add one more
dependency to the pom.xml file
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.0.0.RELEASE</version>
</dependency>
Add server application to include @EnableResourceServer annotation and add a simple
Rest Controller
@EnableResourceServer
@SpringBootApplication
public class ServerApplication {
public static void main(String[] args) {
SpringApplication.run(ServerApplication.class, args);
}
/**
* Allows for @PreAuthorize annotation processing.
*/
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class GlobalSecurityConfiguration extends
GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler
createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
@RestController
public class MessageOfTheDayController {
@GetMapping("/mod")
@PreAuthorize("#oauth2.hasScope('custom_mod')")
public String getMessageOfTheDay(Principal principal) {
return "Hello, Good morning: " +
principal.getName();
}
}
Then rename application.properties file to application.yml and update it as follows
security:
oauth2:
client:
clientId: {client-id-from-above}
clientSecret: {client-secret-from-above}
resource:
tokenInfoUri: {issuer-uri-from-above}/v1/introspect
Now you can run the server application and you can try to access http://localhost:8080/mod.
it will respond with a, HTTP 401 UNAUTHORIZED
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-
autoconfigure</artifactId>
<version>2.0.0.RELEASE</version>
</dependency>
@SpringBootApplication
public class DemoApplication implements CommandLineRunner {
@Bean
@ConfigurationProperties("example.oauth2.client")
protected ClientCredentialsResourceDetails oAuthDetails() {
return new ClientCredentialsResourceDetails();
}
@Bean
protected RestTemplate restTemplate() {
return new OAuth2RestTemplate(oAuthDetails());
}
@Override
public void run(String... args) {
logger.info("MOD: {}",
restTemplate().getForObject(serverBaseUrl + "/mod",
String.class));
}
}
Note:
The CommandLineRunner interface adds run method that will automatically called once
the application initialized. And the application will be exited after this method.
ClientCredentialsResourceDetails bean is bound to configuration properties:
example.oauth2.client
OAuth2RestTemplate in place of a standard RestTemplate this automatically manages
all the OAuth 2.0 access token exchange and sets the Authentication: Bearer header
value. Basically, it handles all the OAuth details.
Now you can run the client application and see the console output similar to below message
2018-06-29 11:43:20.396 INFO 63788 --- [ main] com.nishantha.demo.DemoApplication
: MOD: Hello, Good morning: 0oafls01eedXspzFG0h7