0

I am currently migrating the authorization server from old Spring Security OAuth2 to the new Spring Authorization Server.

It seems that the new Spring Authorization Server generates JWT tokens by default.

What if I dont want to use JWT and Opaque.

Is it possible to generate tokens same as the old Spring Security OAuth2?

By the way, I also dont have idea what type of token the old Spring Security OAuth2 generates...i am a noob here...any idea is appreciated.

Thanks.

jetpack
  • 169
  • 1
  • 9
  • What about using something more "noob" friendly as authorization-server (like Keycloak or an SaaS OpenID provider like Auth0)? You'll get advanced features like identity federation (Google, Facebook, etc.), multi-factor authentication, connectors to LDAP or existing user DB, etc. You then [configure your Spring REST API as resource-server](https://dzone.com/articles/spring-oauth2-resource-servers) – ch4mp Sep 14 '22 at 18:36
  • I think opaque token it is. I misunderstand the idea of opaque tokens, but with few examples, I conclude that its the opaque token that I need. – jetpack Sep 20 '22 at 07:26
  • "Opaque" is from the resource-server point of view: it is considered a black-box and introspection on authorization-server is needed for validation and to get token details (claims) – ch4mp Sep 20 '22 at 16:54

1 Answers1

2

You can generate any type of token you want, using OAuth2TokenGenerator, though it sounds like you don't have another type in mind.

Spring Authorization Server supports OAuth2TokenFormat.SELF_CONTAINED and OAuth2TokenFormat.REFERENCE as types, which are high level categories that map concretely to JWT and Opaque respectively. If you aren't interested in using a JWT, then I suggest using Opaque. It is quite simple to configure and use.

If you want to use another self-contained format, there are many areas of the framework you will need to customize and get right, which might be difficult without a spec. I don't remember off hand what formats were supported by the old project, but it was likely one or both of these.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26
  • hi steve, thanks for your reply, I finally figure it out that I will have to use opaque tokens. But I encounter problems in my implementation. When using opaque tokens I always get `Internal Server Error` when making GET request to the resource server. There is no problem in generating the tokens, it is only that I cannot access the resource server. – jetpack Sep 20 '22 at 07:23
  • Sorry to hear that your resource server isn't working. I recommend playing around with the [samples](https://github.com/spring-projects/spring-authorization-server/tree/main/samples) first, and configure them to use opaque tokens. If generating tokens is working, you can configure [opaque tokens](https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/opaque-token.html) in the resource server via the [introspection endpoint](https://docs.spring.io/spring-authorization-server/docs/current/reference/html/protocol-endpoints.html#oauth2-token-introspection-endpoint). – Steve Riesenberg Sep 20 '22 at 15:40