This is the core subproject of oauth2-authorization-proxy-server-spring-boot
that
- creates the Spring Security filter chain,
- defines configuration options for the project,
- provides a
HandlerMethodArgumentResolver
implementation to resolveUserInfo
controller method parameters and - manages the authentication of the users.
By default, HTTP basic authentication, form login and logout are disabled, as
oauth2-authorization-proxy-server-spring-boot
was designed with pure REST APIs in mind.
There are two possible ways of configuring oauth2-authorization-proxy-server-spring-boot
:
- the
OAuth2AuthorizationProxyConfigurer
that provides implementation time configuration and - configuration properties that can be easily changed for each deployment.
The OAuth2AuthorizationProxyConfigurer
has two methods that can be implemented by services using oauth2-authorization-proxy-server-spring-boot
:
getAntPatternsForPermitAll
: returns aString
array containing ant patterns for paths that should be permitted by the Spring Security filter chain. Default value: empty array.getAuthorizedUserAuthority
: returns the authority of normal authenticated users. Default value: USER.
oauth2.authorization.proxy.server.springboot.dummyUser
: a dummyUserInfo
object that should be used for every request. This property is useful for testing purposes, as it makes every request's user authenticated by default, without actually reaching out to any external OAuth2 providers.
There is a custom HandlerMethodArgumentResolver
implementation called UserInfoArgumentResolver
that to resolve Spring WebFlux controller method parameters of type UserInfo
and Mono<UserInfo>
.
If the oauth2.authorization.proxy.server.springboot.dummyUser
property is not set,
OAuth2ServerSecurityContextRepository
performs the authentication of the users.
There can be any number of IOAuth2Provider
s
in the Spring context, each one having a unique identifier like Facebook or Google. This identifier selects
which external OAuth2 provider handles the authentication of requests going through the provider.
The core concept is that clients of services using oauth2-authorization-proxy-server-spring-boot
must send the
Authorization
header containing a bearer access token, as well as a special X-OAuth2-Provider
header containing the
unique identifier of an external OAuth2 provider. The appropriate IOAuth2Provider
will reach out to the external
OAuth2 provider and that will perform the actual authentication. If the access token is valid according to the external
OAuth2 provider, the user authenticated successfully.
Services using oauth2-authorization-proxy-server-spring-boot
can implement the
IUserAuthenticationListener
interface to be notified about successful and failed authentication attempts.
As an example, let's say a request contains the following two headers:
Authorization: Bearer xyz
X-OAuth2-Provider: Google
In this case, the IOAuth2Provider
with the identifier of Google will reach out to Google
to validate the access token xyz. If Google says the access token is valid, the user will
be authenticated.
Note that only supported values can come in the X-OAuth2-Provider
header, as otherwise an error
will occur. Currently two external OAuth2 providers are supported: Facebook and
Google.