0

I'm trying to implement an authorization service which is similar with oauth2 just that it doesn't need a username and a password to generate the key and the refresh token.But from what i've found it looks like you have to give it an user and a password also. Are there any workarounds for this?

My code is:

@Configuration
public class AuthorizationServerConfiguration implements AuthorizationServerConfigurer {

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.checkTokenAccess("isAuthenticated()").tokenKeyAccess("permitAll()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource).passwordEncoder(passwordEncoder);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }

}


@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;


    @Bean
    public AuthenticationManager getAuthenticationManager() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }
}
Truica Sorin
  • 499
  • 2
  • 11
  • 24

2 Answers2

1

As per your requirement you can use JWT Token. It supports various algorithm like RS256, HS256

I will take HS256 as reference.

In your Authorization server, you need to generate Token based on some Secret key. In Client side. You need to validate token with same secret key.

If you dont want to share Secret key between Authorization server and Client Server

You can use RS256 which has Public and Private key concept.

For implementation you need to add a Filter which checks for Token in Header for each call.

Refer this post for more detail related to implementation.

MyTwoCents
  • 7,284
  • 3
  • 24
  • 52
0

If I understand correctly you want to remove the server to server authentication because you propably dont need it because it is a client app. We'll you cant, At least I havent found a way to do it, so use something trivial and leave it as it is. If someone has found a way please share it.

Alexius DIAKOGIANNIS
  • 2,465
  • 2
  • 21
  • 32