By Syed Rizwan

4-securing-apis-with-oauth-20-and-jwt-authentication-in-spring-boot.html

Securing APIs with OAuth 2.0 and JWT Authentication in Spring Boot

In today's digital landscape, securing APIs is more crucial than ever. With the rise of mobile applications and microservices, developers need robust methods to protect sensitive data. OAuth 2.0 and JSON Web Tokens (JWT) are two of the most widely adopted standards for securing APIs. This article will guide you through the process of securing your Spring Boot applications using OAuth 2.0 and JWT authentication, providing you with a solid foundation to implement these technologies effectively.

Understanding OAuth 2.0 and JWT

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to an HTTP service. It does this by enabling resource owners to authorize third-party access to their server resources without sharing their credentials. Here are some key points about OAuth 2.0:

  • Delegated Access: Users can grant access to their resources without sharing their login credentials.
  • Token-Based Authentication: Instead of using credentials, OAuth 2.0 uses access tokens to authenticate and authorize users.
  • Different Grant Types: OAuth 2.0 supports several grant types, including Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.

What is JWT?

JSON Web Tokens (JWT) are an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. They can be used for authentication and information exchange. Key characteristics of JWT include:

  • Compact: JWTs are small in size, making them easy to pass in URLs, HTTP headers, or cookies.
  • Self-Contained: JWTs contain all the necessary information about the user, reducing the need for database lookups.
  • Signed and Optional Encrypted: JWTs can be signed (to verify the sender) or encrypted (to protect the contents).

Setting Up Your Spring Boot Application

To implement OAuth 2.0 with JWT in a Spring Boot application, follow these steps.

Step 1: Create a Spring Boot Application

Start by creating a new Spring Boot application. You can do this using Spring Initializr (https://start.spring.io/) or by using your IDE. Include the following dependencies:

  • Spring Web
  • Spring Security
  • Spring Boot DevTools
  • Spring Data JPA (if you plan to use a database)
  • OAuth2 Resource Server

Step 2: Add Required Dependencies

In your pom.xml (for Maven) or build.gradle (for Gradle) file, include the following dependencies:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.1</version>
</dependency>

Step 3: Configure Security

To secure your API, you need to configure Spring Security. Create a configuration class as shown below:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/api/public").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt();
    }
}

This configuration does the following:

  • Allows unauthenticated access to /api/public.
  • Requires authentication for all other requests.
  • Configures the application as an OAuth2 Resource Server that accepts JWT.

Step 4: Generate JWT Tokens

To generate JWT tokens during authentication, create a utility class:

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;

import java.util.Date;

@Component
public class JwtUtil {

    private final String SECRET_KEY = "your_secret_key"; // Use a strong key in production
    private final long EXPIRATION_TIME = 86400000; // 1 day

    public String generateToken(String username) {
        return Jwts.builder()
                .setSubject(username)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
                .compact();
    }

    public boolean validateToken(String token, String username) {
        final String extractedUsername = extractUsername(token);
        return (extractedUsername.equals(username) && !isTokenExpired(token));
    }

    public String extractUsername(String token) {
        return extractAllClaims(token).getSubject();
    }

    private Claims extractAllClaims(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
    }

    private boolean isTokenExpired(String token) {
        return extractAllClaims(token).getExpiration().before(new Date());
    }
}

Step 5: Create an Authentication Controller

To handle user authentication and token generation, create a controller:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/api/auth")
public class AuthController {

    @Autowired
    private JwtUtil jwtUtil;

    @PostMapping("/login")
    public ResponseEntity<?> login(@RequestBody AuthRequest authRequest) {
        // Authenticate user (validate username and password)
        // If successful, generate JWT
        String token = jwtUtil.generateToken(authRequest.getUsername());
        return ResponseEntity.ok(new AuthResponse(token));
    }
}

Step 6: Testing Your API

You can test your API using tools like Postman or curl. Make a POST request to /api/auth/login with the necessary credentials. If authentication is successful, you will receive a JWT token that you can use to access secured endpoints.

Conclusion

Securing your APIs with OAuth 2.0 and JWT in Spring Boot is an essential practice for any developer looking to protect sensitive data. By following the steps outlined in this article, you can create a robust authentication mechanism that enhances the security of your applications. Remember to always use strong secret keys and keep your dependencies up to date to mitigate vulnerabilities. With these tools and best practices, you can confidently build secure APIs that protect your users and their data.

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.