Complete Oauth2 implementation with Spring

A more secure, practical and reusable Oauth2 implementation

Introduction

In this article, I’m aiming to explain the basics of Oauth2 by using the spring Oauth2 project and modifying it to fit a real-life scenario. However, this is not a theoretical post about Oauth2 nor one from which you can learn Spring; hence, it is more practical and goal-oriented.

Technologies used through this project are Java 8, Lombok, Spring DI, Flyway, H2(for testing), PostgreSQL, docker & docker-compose, Swagger, Spring Data JPA, Model Mapper and Hibernate Validators. If you’ve ever wanted to see all these working together and grasp a little bit of security knowledge, this is the right place.

Requirements

A basic understanding of OAuth2 & RBAC.

The practical part

Let’s say that you are a Spring Developer that develops REST API’s for multiple clients. By clients, we mean front-end web applications, mobile applications, basically whoever has internet and can consume your resources.

Now, you should secure these endpoints. Have a record of who is using them and check whether or not it is authorized. One example is ‘My Account page’, how do we know for which user to send what information? How do we restrict a malicious user from accessing these endpoints? How can we separate the entire world from the people we aim to feed…