How to validate tokens received from authorization server

Question

I have a oauth flow in my project.

I retrieve in the front-end a jwt token and add it to each request in the authorization header.

Now I need to validate said token and verify the signature in my back-end which is a kotlin spring boot app.

I know how to validate the token with the jjwt library but I don't understand where the validation is done.

I have a certificate to validate the tokens with and just want to let the requests with a valid token to be treated.

I saw online that some people do it with a OncePerRequestFilter that they add to their SecurityConfiguration but I don't understand what's going on and how it works.

I tried searching for tutorials online but many of them make a backend that's both the authorization server and resource server. I just want the backend to be the resource server that checks with the certificate if the token is valid and treats the request if it is. How can I do that ?

For now this is my SecurityConfiguration :

package com.renaulttrucks.transfertprotocolbackend.security.config

import org.springframework.beans.factory.annotation.Value
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

    @Value("\${security.enabled}")
    val securityEnabled : Boolean? = false

    @Throws(Exception::class)
    override fun configure(http: HttpSecurity) {

        if(!securityEnabled!!) {
            http.httpBasic()
                .and()
                .authorizeRequests()
                .antMatchers("/**").permitAll()
                .and()
                .csrf().disable()
                .formLogin().disable()
        } else {
            http.httpBasic()
                .and()
                .authorizeRequests()
                .antMatchers("/**").permitAll()
                .and()
                .csrf().disable()
                .formLogin().disable()
        }
    }

}

Answer 1

Spring Security supports resource servers out-of-the-box when including the correct dependencies and configuration.

As @sdoxsee mentioned, there is a Spring Security sample that outlines how to create a resource server with a public key; however, I'll briefly summarize it here, though you can find more detail in the Spring Security reference.

First, you need to add the appropriate dependency. If you are a Spring Boot application, then you can add:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>

Second, you either specify your key as a Boot property:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          public-key-location: classpath:my-key.pub

or, you configure a JwtDecoder with your public key directly:

@Configuration
class SecurityConfig {
    @Value("${public.key.property}") val key : RSAPublicKey;

    @Bean
    fun jwtDecoder() : JwtDecoder {
        return NimbusJwtDecoder.withPublicKey(this.key).build();
    }
}

Either the Boot property or the JwtDecoder @Bean will introduce a filter automatically into the filter chain called BearerTokenAuthenticationFilter, so you don't need to create your own.