Multiple authentication servers for my OAuth 2 resource server

I have implemented a simple resource server with Spring Boot and Spring Oauth2 with Google as authentication server:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: clientId
            client-secret: clientSecret
            scope: openid,profile,email
      resourceserver:
        jwt:
          issuer-uri: https://accounts.google.com
          jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs

spring:

  security:

    oauth2:

      client:

        registration:

          google:

            client-id: clientId

            client-secret: clientSecret

            scope: openid,profile,email

      resourceserver:

        jwt:

          issuer-uri: https://accounts.google.com

          jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs

​

@RestController
public class Controller {

    @GetMapping("/hi")
    public String hello() {
        return "hello";
    }
}

@RestController

public class Controller {

​

    @GetMapping("/hi")

    public String hello() {

        return "hello";

    }

}

​

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/**").fullyAuthenticated()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .oauth2ResourceServer().jwt()
                .and()
                .and()
                .cors().and().csrf().disable();

    }

}

@EnableWebSecurity

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

​

    @Override

    protected void configure(final HttpSecurity http) throws Exception {

        http.authorizeRequests()

                .antMatchers("/**").fullyAuthenticated()

                .and()

                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and()

                .oauth2ResourceServer().jwt()

                .and()

                .and()

                .cors().and().csrf().disable();

​

    }

​

}

​

How do I add a few more authentication servers like Github, Facebook, or Twitter?

Right now I am able to generate id_token and access_token for Google authentication but I am not sure if Github or Facebook supports it. I couldn’t find anything similar in their documentation.

In the end, I want to have 3 authentication providers to which I will be able to generate id_token and send it as an Authentication header in Postman. I am not even able to find jwk-set-uri or issuer-uri for Github, to replace the Google authentication server with Github.

Answer

For multi tenant scenarios (several token issuers), you should have a look at https://github.com/ch4mpy/spring-addons. Your use-case is very close to https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/resource-server_with_oauthentication.

Spring boot team decided not to support multiple token issuers: https://github.com/spring-projects/spring-boot/issues/30108#issuecomment-1163292478

Regarding Github and OpenID: What is GitHub /.well-known/openid-configuration URL?. You can still use it as OAuth2 provider, following Github doc, but what Github produces as access-token is an opaque token (not a JWT). To check that the token is valid (issued by github, has not expired, wasn’t revoqued, …) and get info about authenticated user, you have to issue a request to Github API, which is pretty limitative. You could use an OpenID authorization-server (like Keycloak) as identity broker, which would

• use Github (and others) as identity provider
• provide your clients with JWT access-tokens (Postman, web apps, native mobile apps, etc.)
• maybe centralise user roles management