Spring Boot + OAuth 2 Client Credentials Grant - Hello World Example
It is an open standard for token-based authentication and authorization on the Internet. It allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
When using OAuth2, grant type is the way an application gets the access token. Following are the grant types according to OAuth2 specification-
- Authorization code grant
- Implicit grant
- Resource owner credentials grant
- Client credentials grant
- Refresh token grant
Spring Boot Security - Implementing OAuth2Spring Boot Security - Introduction to OAuth Spring Boot OAuth2 Part 1 - Getting The Authorization Code Spring Boot OAuth2 Part 2 - Getting The Access Token And Using it to fetch data. Spring Boot + OAuth 2 Client Credentials Grant - Hello World Example. Spring Boot + OAuth 2 Password Grant - Hello World Example. Facebook Authentication Using Spring Boot + Spring Social Simple Example.
VideoThis tutorial is explained in the below Youtube Video.
The Client Credentials Grant involves machine to machine authentication. Oauth usually consists of following actors -
- Resource Owner(User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
- Client Application - The machine that needs to be authenticated.
- Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
- Resource Server - The resource server is the OAuth 2.0 term for your API server. The resource server handles authenticated requests after the application has obtained an access token.
This type of Authentication does not involve any end-user. Unlike Authorization Grant where the end user had to authenticate himself using Authorization Server like Gmail, here the machine it self authenticates itself to access a protected resource.
Trivago server will be accessing several third party APIs to show search results. Machine to machine authentication will be done by the Trivago server to access the third party API's to get the hotel data. Suppose it wants search data from makemytrip.com, so Trivago Server will authenticate itself by calling makemytrip's authorization server to get access token and then using this token access the makemytrip resource server to get the search result. So here-
- Client Application(Trivago Server) - Trivago Server which will need to get some reources from MakeMyTrip.com.
- Authorization Server(MakeMyTrip Authorization Server)- MakeMyTrip Authorization Server. Here Trivago should have already registered itself to the MakeMyTrip Authorization Server so that it can be authenticated and issued token.
- Resource Server(MakeMyTrip Resource Server) - MakeMyTrip application will then use the token it recieved from the Authorization Server to get resource from the MakeMyTrip Resource Server. MakeMyTrip ResourceServer will verify if the token recieved is valid by calling the Authorization server which issued it. If its valif it will return the requested resource
Call to the Authorization Server to get the token.
Parameter Value grant_type (required) client_credentials client_id(required) The client id client_secret(required) The client secret key
- After getting the token from the authorization server, the client application then needs to use this for getting resource from the resource server.