I'm trying to create an application using NextJS + Java with Spring as my backend and I have been trying the new Spring Authorization Server alongside a BFF app with Spring Gateway and Spring Security Oauth2 Client.
I have recently been studying this sample to try to implement a Backend for Frontend pattern for my own app and I got into a few questions around the Spring Security Oauth2 Client.
I have read this and it appears that it indeed handles the authorization code, refresh token, client credentials automatically, as shown in the following piece of code, but my question is if it really handles everything by it's own specially refreshing the token and such, I've read a about it but it's my first time around Oauth2 Client and I wanted to be really sure about it or if I'm completely lost.
@Bean
@Primary // Needed because of GatewayReactiveOAuth2AutoConfiguration
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
The second question is, since the Spring Authorization Server saves the RegisteredClient, Authorization and AuthorizationConsent, should the Backend For Frontend application store the tokens in database somehow? I see those repositories from the code from above and I don't know if that's needed to implement and save. I'm confused about how it works in a production environment if I got to spun up multiple pods with the BFF or the Auth Server and how to handle the session between my frontend and the BFF correctly when dealing with multiple BFF instances.
Generally speaking, you will want to ask each question separately. The title suggests you’re focused on refresh tokens but you added a second question regarding persistence. Having said that, I think the answers are straight forward so we can give it a go.
#1:
To some degree, this is easily answered by trying out the sample. It’s easy to skip but it’s an important step. The sample repo includes a gateway/bff, a JavaScript client (angular), a resource server and an authorization server so you can run all of them and try it out. It’s not completely up to date though so for now I’d suggest running it as is without changes first.
But the short answer is yes, Spring Security OAuth2 Client handles the refresh token.
There are multiple patterns available demonstrated in the repo (check the commits) but the simplest is to use the TokenRelay in spring cloud gateway to get started. See the webinar for more context on that sample.
#2:
Persistence is a nuanced topic because it usually depends on your environment and what database or persistence is available or required by your organization. When getting started (like it sounds like you are) it’s ok to ignore persistence until you’ve learned enough to be comfortable with the other complicated topics such as OAuth, Spring Security, architecture, etc.
Of course if you are getting ready to go to production it’s definitely time to think about it. In that case, yes the bff should have a backing data store. You’ll want to review the core components section of the docs, focusing on the ServerOAuth2AuthorizedClientRepository interface. You will implement it to store and retrieve authorized clients in your database for the bff.
Hopefully that answers the question, as you indicate some general confusion and I’m uncertain what the question(s) might be. You’ll want to ask separate questions for each point as you learn more.