I am trying to configure resource server with my spring boot kotlin project, basically i have a bearer token which is opaque token i pass it to my rest controller which comes from mobile app and on my server side i need to authenticate along with custom authorization server(opaquetoken) with url https://**.com/oauth2/token

My current configuration is as below application.yml spring: security: oauth2: resourceserver: opaquetoken: introspection-uri: https://****/oauth2/introspect client-id: XXXX client-secret: XXXX

@SpringBootApplication class DemoApplication

@RestController class HelloController {

@GetMapping("/hello")
fun hello(@AuthenticationPrincipal principal: OAuth2AuthenticatedPrincipal) = "hello ${principal.getAttribute<Any>("sub")}"

@GetMapping("/hello2")
fun hello2() = "hello2"

}

@Configuration class WebSecurityConfigurerAdapter2 : WebSecurityConfigurerAdapter() {

@Value("\${spring.security.oauth2.resourceserver.opaque.introspection-uri}")
var introspectionUri: String? = null

@Value("\${spring.security.oauth2.resourceserver.opaque.client-id}")
var clientId: String? = null

@Value("\${spring.security.oauth2.resourceserver.opaque.client-secret}")
var clientSecret: String? = null

@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
    http
            .authorizeRequests { authz ->
                authz
                        .antMatchers("/hello")
                        .authenticated()
            }
            .oauth2ResourceServer { oauth2: OAuth2ResourceServerConfigurer<HttpSecurity?> ->
                oauth2
                        .opaqueToken { token ->


                            val resourceDetails = ClientCredentialsResourceDetails()
                            resourceDetails.accessTokenUri = "https://****/oauth2/token"
                            resourceDetails.clientId = clientId
                            resourceDetails.clientSecret = clientSecret
                            resourceDetails.scope = listOf("hydra/*")

                            val restTemplate = OAuth2RestTemplate(resourceDetails)

                            token.introspector(NimbusOpaqueTokenIntrospector(introspectionUri, restTemplate))


                        }
            }
}

}

fun main(args: Array) { runApplication(*args) }

Everything works fine and i am able to get principal object after i make a call with bearer token to GET http://localhost:8080/hello with Authorization Bearer but i see ClientCredentialsResourceDetails and OAuth2RestTemplate are deprecated, is there any latest document or sample code for this custom auth server and introspect for rest.

I could not find any solution for this on opaque token samples too.

Please suggest me an alternative way to achieve it or existing functionality to support

Comment From: jzheaux

Thanks for getting in touch! It feels like this is a question that would be better suited to Stack Overflow, though please check out the documentation about opaque tokens. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.

Comment From: sandeepvedavyas

Hello @jzheaux, Thank you for looking into the issue, I have already posted it on stack overflow with the link https://stackoverflow.com/questions/64188835/how-to-to-configure-resource-server-with-custom-auth-server-for-token.

I even went through the documentation and sample code https://github.com/spring-projects/spring-security/tree/master/samples/boot/oauth2resourceserver-opaque i couldn't find the solution as ClientCredentialsResourceDetails and OAuth2RestTemplate deprecated so thought of raising it as enhancement to get support. Please redirect me to any document or sample where i can find this integration of resource server and auth for token.

Thanks Sandeep

Comment From: sandeepvedavyas

@jgrandja any inputs on this issue please, i couldn't figure out myself.

Comment From: jgrandja

@sandeepvedavyas Please see this post.

The new OAuth 2.0 Client support is in Spring Security since 5.0. See the reference.

Comment From: sandeepvedavyas

@jgrandja thank you for the information , I have switched to spring security 5.4 and am trying to do something as below

package com.example.demo.config

import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties import org.springframework.boot.context.properties.ConfigurationProperties import org.springframework.boot.web.client.RestTemplateBuilder import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector import org.springframework.web.client.RestTemplate

@Configuration class WebSecurityConfigurerAdapter2 : WebSecurityConfigurerAdapter() {

@Bean
@ConfigurationProperties("spring.security.oauth2.client")
protected fun oAuthDetails(): ClientCredentialsResourceDetails? {
    return ClientCredentialsResourceDetails()
}

@Bean
protected fun restTemplate(): RestTemplate? {
    return OAuth2RestTemplate(oAuthDetails())
}

@Bean
fun introspector(builder: RestTemplateBuilder, properties: OAuth2ResourceServerProperties): OpaqueTokenIntrospector? {

    return NimbusOpaqueTokenIntrospector(properties.opaquetoken.introspectionUri, restTemplate())
}

@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
    http
            .authorizeRequests { authz ->
                authz
                        .antMatchers("/hello")
                        .authenticated()
            }
            .oauth2ResourceServer { oauth2: OAuth2ResourceServerConfigurer<HttpSecurity?> ->
                oauth2
                        .opaqueToken { token ->

                        }
            }
}

}

but i couldn't find ClientCredentialsResourceDetails and OAuth2RestTemplate classes, in old version these classes are deprecated, my requirement is - i get a opaque token from Mobile app , I am trying to configure resource server for authentication but an extra requirement is with below client credentials i need to pass another authorization token so i get the principal object. I am not configuring client or authorization server myself, its a different project available at my company. I just need to create resource sever and complete the authentication flow like custom server to server authentication with opaque token from mobile and another i acquire with below client credentials

spring: security: oauth2: client: access-token-uri: ${API_OAUTH_TOKEN_URL:https://*/oauth2/token} grant-type: "client_credentials" client-id: ${API_CLIENT_ID:} client-secret: ${API_CLIENT_SECRET:**} scope: "hydra/"

Please let me know if there are any samples or a different way to achieve it.

Comment From: jgrandja

I still see classes from Spring Security OAuth 2.x, e.g. OAuth2RestTemplate, ClientCredentialsResourceDetails

Your code still needs to be migrated to Spring Security 5.x classes.

I provided you a link in previous comment to the reference. Please go through it to understand usage of client and resource server. It is all documented so you will find it there.

Here are a couple of samples:

https://github.com/jgrandja/spring-security-oauth-5-2-migrate

https://github.com/jgrandja/oauth2-protocol-patterns