By Syed Rizwan

5-building-a-secure-api-with-oauth-20-and-jwt-in-a-spring-boot-application.html

Building a Secure API with OAuth 2.0 and JWT in a Spring Boot Application

In today's digital landscape, securing your application is more critical than ever. As more services interact through APIs, ensuring that only authenticated users can access sensitive information is paramount. This is where OAuth 2.0 and JSON Web Tokens (JWT) come into play. In this article, we’ll guide you through building a secure API using OAuth 2.0 and JWT in a Spring Boot application.

Understanding the Basics

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service. It provides a way to grant access without sharing the user's credentials directly.

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure.

Why Use OAuth 2.0 and JWT Together?

  • Security: OAuth 2.0 provides a secure mechanism for authorization, while JWT allows for secure transmission of information between parties.
  • Statelessness: JWTs are stateless, meaning they do not require server-side sessions, which is ideal for microservices architecture.
  • Interoperability: JWTs can be used across different platforms and programming languages.

Use Cases for OAuth 2.0 and JWT

  • Single Sign-On (SSO): Users can authenticate once and gain access to multiple applications.
  • Mobile Applications: Secure APIs for mobile apps to authenticate users without storing credentials.
  • Microservices: Secure communication between microservices without the need for a centralized authentication server.

Step-by-Step Guide to Implementing OAuth 2.0 and JWT in Spring Boot

Step 1: Set Up Your Spring Boot Application

Start by creating a new Spring Boot project using Spring Initializr. Include the following dependencies:

  • Spring Web
  • Spring Security
  • Spring Data JPA
  • H2 Database (for testing)
  • Spring Security OAuth2

Your pom.xml should look something like this:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>com.fasterxml.jackson.datatype</groupId>
    <artifactId>jackson-datatype-jsr310</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
    <groupId>com.h2database</groupId>
    <artifactId>h2</artifactId>
    <scope>runtime</scope>
</dependency>

Step 2: Configure Spring Security

Create a configuration class to set up security for your application.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt();
    }
}

Step 3: Implement JWT Generation

You’ll need to create a service that generates JWT tokens upon user authentication. 

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Service;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@Service
public class JwtService {

    private final String SECRET_KEY = "secret"; // Use a strong key in production
    private final long EXPIRATION_TIME = 86400000; // 1 day

    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return createToken(claims, username);
    }

    private String createToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
                .compact();
    }

    public boolean validateToken(String token, String username) {
        final String extractedUsername = extractUsername(token);
        return (extractedUsername.equals(username) && !isTokenExpired(token));
    }

    private boolean isTokenExpired(String token) {
        return extractExpiration(token).before(new Date());
    }

    private Date extractExpiration(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getExpiration();
    }

    private String extractUsername(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getSubject();
    }
}

Step 4: Create Authentication Endpoint

Set up an endpoint where users can authenticate and receive a JWT.

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/auth")
public class AuthController {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private JwtService jwtService;

    @PostMapping("/login")
    public String login(@RequestBody AuthRequest authRequest) {
        try {
            Authentication authentication = authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(authRequest.getUsername(), authRequest.getPassword())
            );
            return jwtService.generateToken(authRequest.getUsername());
        } catch (AuthenticationException e) {
            throw new RuntimeException("Invalid credentials");
        }
    }
}

Step 5: Testing the API

Use tools like Postman or cURL to test your API. Send a POST request to /auth/login with a JSON body containing the username and password. If successful, you will receive a JWT token, which you can use to access protected endpoints.

{
    "username": "user",
    "password": "password"
}

Conclusion

Building a secure API using OAuth 2.0 and JWT in a Spring Boot application significantly enhances the security of your application. By following this guide, you’ve learned how to implement JWT-based authentication, effectively securing your resources.

Implementing these techniques ensures that your application is not only robust but also scalable and secure. Make sure to adopt best practices for secure coding and keep your libraries updated to mitigate potential vulnerabilities. The combination of OAuth 2.0 and JWT is a powerful approach to API security, making it a vital skill for any developer in today’s tech-driven world.

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.