Spring Authorization Server. What's the difference between RegistredClient and UserDetails?
On their Getting started guide, reference, Spring Authorization Server have a piece of code where they declare two beans - UserDetailsService and RegistredClientRepository. I wanted to play around retrieving some tokens from the server. I tried using postman. Within authorization tab I entered the values from the guide:
it answered with:
So then I tried inputting client credentials from RegistredClientRepository entry:
And it worked.
So my question is: what is the purpose of UserDetails and RegistredClient being both available in this case?
And another little bit off-topic question: if I create my own authorization server for client credentials flow between my servers, how does every server know that token belongs to legitimate server and not to some attacker who can just register with needed clientId if there's an opportunity? How can resource server actually verify that token owner is the server it trusts?
Generally in oauth2, a "client" is an application which users might use to interface with some service - for example something like an App people can install on their phones or a web application.
Most oauth2 implementations have "scopes" (basically defined sets of access rights). Clients (client applications) are registered with some metadata (name, author, ...), a set of scopes they might use and some details to improve security - like "where is that application hosted" (in form of "which redirect URIs are valid"), client ID and client secret.
Depending on the oauth2 flow chosen, your App needs to prove being that app by some means - e.g. by having a valid combination of client ID and redirect URI or by doing HTTP basic auth with their client ID as username and client secret as password when exchanging a "code" for a "token".
All this was about clients - now about users: they are what you would expect, the users of a service - like you and me are users on Stackoverflow.com
And another little bit off-topic question: if I create my own authorization server for client credentials flow between my servers, how does every server know that token belongs to legitimate server and not to some attacker who can just register with needed clientId if there's an opportunity? How can resource server actually verify that token owner is the server it trusts?
for this you could either use a form of signed tokens (look at e.g. JWT) or store the currently valid tokens per user in a database reachable by all your servers - both have pro's and con's, tokens in a database are easier to revoke, while signed tokens don't require you to store any state in a database (which can be expensive in big distributed systems)
Update - OP actually wants to do server-to-server authentication, see comments below
Server-to-server authentication can often work very well without any extra authentication server, in cases where your parties a less dynamic - like when you always have "those three servers" and they don't come and go very often.
In such cases, using a simple token is probably better and easier than using an oauth2 stack. Each server could just have a list of randomly generated strings in its config file, let's call this "the set of valid tokens" and also knows which token to send when communicating with a specific other server. When a request comes in, the server checks if the given token is in its set of valid tokens - done.
- Simple way templating multiline strings in java code
- Unsafe or unchecked operations for ArrayList
- Consistent time zone for date comparison
- How to convert a .nfo file to .fff file
- Bash command to check if Oracle or OpenJDK java version is installed on Linux
- Between Runtime and compile time jdk version , which one can be greater
- I get an error: An unexpected error occurred while trying to open file hola.jar
- Issue to list names of files from `resources` directory. (in JAR/EXE application)
- space is not allowed after parameter prefix ':' in SpEL support in Spring Data JPA @Query definitions
- Spring Boot Fails to Start after First Boot
- Null exception @Service in a spring @RestController using constructor injection
- How to print sequence of characters according to the number next to it?
- Idiomatic way to use for-each loop given an iterator?
- java jdb does not display code lines in step output
- Set Chrome's language using Selenium ChromeDriver
- a collection data structure to keep items sorted
- In Intellij IDEA 14.1.4: Cannot run program "C:/Program Files (x86)/Java/jdk1.8.0_45/bin/java"
- Using JDK that is bundled inside Android Studio as JAVA_HOME on Mac
- Gatling Java request to be called only once to retrieve login information for other requests that are executed multiple times
- How to fix Eclipse autocomplete not working
- Trying to send a message to a queue on weblogic
- logging.file.max-history is not working in Spring Boot
- How can I find the most frequent word in a huge amount of words (eg. 900000)
- Swapping positions of duplicate values in array (Java)
- Java - sending POST
- Dynamically adding JTable to JScrollPane
- How can I change the database table column order?
- Efficient Ways To Display Messages In RecyclerView
- How to get filtered results based on two columns from a single table using Specification and Criteria Builder in Spring Boot
- Rabbit mq error: Getting Exception in thread "main" java.io.IOException Caused by: com.rabbitmq.client.ShutdownSignalException