{"id":192,"date":"2024-12-27T10:14:39","date_gmt":"2024-12-27T10:14:39","guid":{"rendered":"https:\/\/ranjeshviswa.com\/?p=192"},"modified":"2024-12-27T10:16:23","modified_gmt":"2024-12-27T10:16:23","slug":"how-to-create-an-oauth2-client-using-spring-boot","status":"publish","type":"post","link":"https:\/\/ranjeshviswa.com\/?p=192","title":{"rendered":"How to create an OAuth2 Client using Spring Boot"},"content":{"rendered":"

Overview<\/span><\/h2>\n

 <\/p>\n

This guide shows how to create an OAuth2 client and consume an endpoint protected by OAuth2 authorization server using Spring Boot.<\/p>\n

Introduction<\/h2>\n

Let\u2019s say you are part of a Bank backend development team and you need to create an internal endpoint, which will give real time status of international payment transaction. The internal endpoint when invoked will call an external swift endpoint, which gives detailed status history of payment went through swift network. The response returned from swift needs to be transformed into customised simple status response. The swift endpoint is protected by OAuth2 Authorization server using grant type\u00a0urn:ietf:params:oauth:grant-type:jwt-bearer<\/a>. This grant type enables an OAuth client to request an access token using JSON Web Tokens (JWT<\/a>). The subsequent part of this guide will show key components involved in creating a Spring boot application, which exposes a rest end point and also acts as an OAuth2 Client to external Swift server.<\/p>\n

Proposed System Architecture<\/h2>\n

 <\/p>\n

\n
\"\"<\/div>\n<\/figure>\n
\n

Rest Controller<\/h2>\n
@RestController<\/span>\r\nclass<\/span> TransactionController<\/span>(val<\/span> swiftTransactionService: SwiftTransactionService) {\r\n@GetMapping(\"\/transactions\/{uetr}\"<\/span>)<\/span>\r\n  fun<\/span> getTransactionStatus<\/span>(@PathVariable<\/span> uetr: String<\/span>)<\/span><\/span>: ResponseEntity<TransactionStatus> {\r\n    val<\/span> status = swiftTransactionService.getTransactionStatus(uetr)\r\n    return<\/span> ResponseEntity.ok(TransactionStatus(status))\r\n  }\r\n}<\/pre>\n
Typical Spring Boot Rest controller to create an endpoint , it uses swiftTransactionService which in turns call external swift resource end point, protected by Swift Authorization server<\/p>\n
Service<\/h2>\n
@Service<\/span>\r\n@EnableConfigurationProperties(SwiftApiProperties::class)<\/span>\r\nclass<\/span> SwiftTransactionService<\/span>(\r\n  private<\/span> val<\/span> webClient: WebClient,\r\n  private<\/span> val<\/span> swiftApiProperties: SwiftApiProperties\r\n) {\r\n\r\n  fun<\/span> getTransactionStatus<\/span>(uetr: String<\/span>)<\/span><\/span>: String {\r\n  val<\/span> swiftResponse = webClient\r\n    .get<\/span>()\r\n    .uri(URI(swiftApiProperties.resourceUrl.format(uetr)))\r\n    .retrieve()\r\n    .bodyToMono<Map<String, Any>>()\r\n    .block() ?: emptyMap()\r\n  val<\/span> status = swiftResponse[\"transaction_status\"<\/span>] as<\/span> String\r\n  return<\/span> status\r\n  }\r\n}<\/pre>\n
Service layer uses WebClient to call external resource end point\u00a0https:\/\/sandbox.swift.com\/swift-apitracker\/v5\/payments\/{uetr}\/transactions<\/a>, which is protected by authorization server. WebClient is configured to automtically send client credentials like clientId, clientSecret, JWT to Authorization server to get valid access token, which is then used to access resource end point.<\/p>\n
JwtTokenUtil<\/h2>\n
@Component<\/span>\r\n@EnableConfigurationProperties(SwiftApiProperties::class)<\/span>\r\nclass<\/span> JwtTokenUtil<\/span>(val<\/span> swiftApiProperties: SwiftApiProperties) {\r\n\r\n  fun<\/span> createJwtToken<\/span>()<\/span><\/span>: String {\r\n    val<\/span> certFactory = CertificateFactory.getInstance(\"X.509\"<\/span>)\r\n    val<\/span> certificateInputStream = loadPublicCertificateAsStream(swiftApiProperties.certPath)\r\n    val<\/span> certificate: X509Certificate = certFactory.generateCertificate(certificateInputStream) as<\/span> X509Certificate\r\n    val<\/span> base64EncodedCert = com.nimbusds.jose.util.Base64.encode(certificate.encoded)\r\n    val<\/span> header = JWSHeader.Builder(JWSAlgorithm.RS256)\r\n     .type(JOSEObjectType.JWT)\r\n     .x509CertChain(listOf(base64EncodedCert))\r\n     .build()\r\n\r\n    val<\/span> jti = (1.<\/span>.12<\/span>)\r\n      .map { \"abcdefghijklmnopqrstuvwxyz0123456789\"<\/span>.random() }\r\n      .joinToString(\"\"<\/span>)\r\n    val<\/span> currentTimeMillis = System.currentTimeMillis()\r\n    val<\/span> issuedAt = currentTimeMillis \/ 1000<\/span>\r\n    val<\/span> expiration = issuedAt + 900<\/span> \/\/ 15 minutes from issuance<\/span>\r\n    val<\/span> claims = JWTClaimsSet.Builder()\r\n      .issuer(swiftApiProperties.issuer)\r\n      .audience(swiftApiProperties.audience)\r\n      .subject(swiftApiProperties.subject)\r\n      .jwtID(jti)\r\n      .expirationTime(Date(expiration * 1000<\/span>))\r\n      .issueTime(Date(issuedAt * 1000<\/span>))\r\n      .build()\r\n\r\n    val<\/span> signedJWT = SignedJWT(\r\n      header,\r\n      claims\r\n      )\r\n    val<\/span> privateKey = loadPrivateKey(swiftApiProperties.privateKeyPath)\r\n      signedJWT.sign(RSASSASigner(privateKey))\r\n      return<\/span> signedJWT.serialize()\r\n  }\r\n\r\n  fun<\/span> loadPrivateKey<\/span>(privateKeyPath: String<\/span>)<\/span><\/span>: PrivateKey {\r\n    Security.addProvider(BouncyCastleProvider())\r\n    \/\/ Load the private key from the PEM file<\/span>\r\n    val<\/span> resource = ClassPathResource(privateKeyPath)\r\n    val<\/span> keyContentPKCS1 = resource.inputStream.bufferedReader(StandardCharsets.UTF_8).use { it.readText() }\r\n     .replace(\"-----BEGIN RSA PRIVATE KEY-----\"<\/span>, \"\"<\/span>)\r\n     .replace(\"-----END RSA PRIVATE KEY-----\"<\/span>, \"\"<\/span>)\r\n     .replace(\"\\\\s+\"<\/span>.toRegex(), \"\"<\/span>)\r\n\r\n    val<\/span> keyBytes: ByteArray = Base64.getDecoder().decode(keyContentPKCS1)\r\n    val<\/span> asn1Parser = ASN1StreamParser(keyBytes)\r\n    val<\/span> asn1Object = asn1Parser.readObject()\r\n    val<\/span> rsaKey = RSAPrivateKey.getInstance(asn1Object.toASN1Primitive())\r\n    val<\/span> keySpec = RSAPrivateCrtKeySpec(\r\n     rsaKey.modulus,\r\n     rsaKey.publicExponent,\r\n     rsaKey.privateExponent,\r\n     rsaKey.prime1,\r\n     rsaKey.prime2,\r\n     rsaKey.exponent1,\r\n     rsaKey.exponent2,\r\n     rsaKey.coefficient\r\n     )\r\n  val<\/span> keyFactory = KeyFactory.getInstance(\"RSA\"<\/span>)\r\n  val<\/span> privateKey = keyFactory.generatePrivate(keySpec)\r\n  return<\/span> privateKey\r\n}\r\n  fun<\/span> loadPublicCertificateAsStream<\/span>(filePath: String<\/span>)<\/span><\/span>: InputStream {\r\n    val<\/span> resource = ClassPathResource(filePath)\r\n    return<\/span> resource.inputStream\r\n  }\r\n}<\/pre>\n
This utlity is used to create JWT dynamically. JWT header is constructed using clients public certificate, kept as cert.pem in resources folder.JWT payload is constructed using statically configured: issuer, audience, subject, and dynamically generated: JTI, issued Time and expiration Time. The consolidated JWT is then signed with clients private Key , kept as privateKey.pem in resources folder.<\/p>\n
P.S. Sensitive information like private Key and public certificate should not be kept along side the code for security reason. Ideally they should be kept in secure vault like AWS secret manager and access dynamically. For the simplicity of this demo, it is kept along side the code.<\/p>\n
OAuth2ClientConfig<\/h2>\n
@Configuration<\/span>\r\n@EnableConfigurationProperties(SwiftApiProperties::class)<\/span>\r\nclass<\/span> OAuth2ClientConfig<\/span>(\r\n  val<\/span> clientRegistrationRepository: ClientRegistrationRepository,\r\n  val<\/span> authorizedClientRepository: OAuth2AuthorizedClientRepository,\r\n  val<\/span> jwtTokenUtil: JwtTokenUtil,\r\n  val<\/span> swiftApiProperties: SwiftApiProperties\r\n) {\r\n  @Bean<\/span>\r\n  fun<\/span> authorizedClientManager<\/span>()<\/span><\/span>: OAuth2AuthorizedClientManager {\r\n    val<\/span> authorizedClientManager = DefaultOAuth2AuthorizedClientManager(\r\n      clientRegistrationRepository,\r\n      authorizedClientRepository\r\n     )\r\n    authorizedClientManager.setAuthorizedClientProvider { context ->\r\n      val<\/span> clientRegistration = context.clientRegistration\r\n      val<\/span> jwtBearerToken = jwtTokenUtil.createJwtToken()\r\n      val<\/span> formData: MultiValueMap<String, String> = LinkedMultiValueMap()\r\n      formData.add(\"grant_type\"<\/span>, swiftApiProperties.grantType)\r\n      formData.add(\"assertion\"<\/span>, jwtBearerToken)\r\n      formData.add(\"scope\"<\/span>, swiftApiProperties.scope)\r\n      val<\/span> body = BodyInserters\r\n       .fromFormData(formData)\r\n      WebClient.builder()\r\n       .defaultHeader(\"Content-Type\"<\/span>, \"application\/x-www-form-urlencoded\"<\/span>)\r\n       .defaultHeaders { headers ->\r\n          headers.setBasicAuth(\r\n            swiftApiProperties.consumerKey,\r\n            swiftApiProperties.consumerSecret\r\n          )\r\n        }\r\n        .build()\r\n        .post()\r\n        .uri(URI(clientRegistration.providerDetails.tokenUri))\r\n        .body(body)\r\n        .retrieve()\r\n        .bodyToMono<Map<String, Any>>()\r\n        .map { responseMap ->\r\n          OAuth2AuthorizedClient(\r\n            clientRegistration, context.principal.name, OAuth2AccessToken(\r\n            OAuth2AccessToken.TokenType.BEARER,\r\n            responseMap?.let {\r\n              it[\"access_token\"<\/span>] as<\/span> String\r\n            },\r\n            Instant.now(),\r\n            Instant.now().plusSeconds(1799<\/span>)\r\n          )\r\n          )\r\n        }\r\n        .block()\r\n\r\n    }\r\n    return<\/span> authorizedClientManager\r\n  }\r\n  @Bean<\/span>\r\n  fun<\/span> webClient<\/span>(authorizedClientManager: OAuth2AuthorizedClientManager<\/span>)<\/span><\/span>: WebClient {\r\n    val<\/span> oauth2Filter = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)\r\n    oauth2Filter.setDefaultClientRegistrationId(\"swift-oauth-client\"<\/span>)\r\n    return<\/span> WebClient.builder()\r\n      .apply(oauth2Filter.oauth2Configuration())\r\n      .build()\r\n  }\r\n\r\n}<\/pre>\n
Spring Bean OAuth2AuthorizedClientManager is configured to call Swift token endpoint automatically and get access token, when ever new token is required or when old token is expired. The bean is injected into Spring Bean WebClient and is subsequently used in Service layer to call swift resource endpoint<\/p>\n
Summary<\/h2>\n