From 87243ea45352a37dd0ae6704ccbc596f43e147b0 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Tue, 18 Sep 2018 10:58:56 -0500 Subject: [PATCH] Add WebFlux Resource Server Reference Fixes: gh-5866 --- .../_includes/reactive/oauth2/index.adoc | 2 + .../reactive/oauth2/resource-server.adoc | 47 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/index.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/index.adoc index 3fd2fadf70..ed71bd2a1d 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/index.adoc @@ -5,3 +5,5 @@ Spring Security provides OAuth2 and WebFlux integration for reactive application include::login.adoc[leveloffset=+1] include::access-token.adoc[leveloffset=+1] + +include::resource-server.adoc[leveloffset=+1] diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc new file mode 100644 index 0000000000..487aaa92b2 --- /dev/null +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc @@ -0,0 +1,47 @@ +[[webflux-oauth2-resource-server]] += OAuth2 Resource Server + +Spring Security provides OAuth2 Resource Server support with JWT tokens. + + +[[NOTE]] +==== +A complete working example can be found in {gh-samples-url}/boot/oauth2resourceserver-webflux[*OAuth 2.0 Resource Server WebFlux sample*]. +==== + +The first step is to expose a `ReactiveJwtDecoder` as a `@Bean`. +In a Spring Boot application this can be done using: + +[source,yml] +---- +spring: + security: + oauth2: + resourceserver: + jwt: + issuer-uri: https://idp.example.com/auth/realms/demo +---- + +The `issuer-uri` instructs Spring Security to leverage the endpoint at `https://idp.example.com/auth/realms/demo/.well-known/openid-configuration` to discover the configuration. +The above is all that is necessary to get a minimal Resource Server configured. +When new keys are made available, Spring Security will automatically rotate the keys used to validate the JWT tokens. + +By default each scope is mapped to an authority with the prefix `SCOPE_`. +For example, the following requires the scope of `message:read` for any URL that starts with `/messages/`. + +[source,java] +---- +@Bean +SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { + http + .authorizeExchange() + .pathMatchers("/message/**").hasAuthority("SCOPE_message:read") + .anyExchange().authenticated() + .and() + .oauth2ResourceServer() + .jwt(); + return http.build(); +} +---- + +