Search code examples
reactjsspring-bootspring-security-oauth2

Spring security OAuth2 new Authorization Server with PKCE with React JS front end

Spring Boot

My application is mainly based on spring boot micro services. Currently it uses OAuth with password grant_type which is deprecated in the latest spring security authorization server release. For receiving JWT token, it stores client id and client secret in React JS frontend which is not secure and not recommended. Users need to register to access certain resources and application maintains login credentials in mysql DB

I am trying to upgrade spring security and want 'account service' to act as authorization server to issue JWT tokens.

  1. Am I correct in my understanding that I need to use authorization_code grand type with PKCE?
  2. If I use PKCE then I do not need users to provide passwords while registering, is that correct? Storing only username/email should suffice because users just need to pass client ID and code_challenge to get authorization code?
Solution
    1. Am I correct in my understanding that I need to use authorization_code grand type with PKCE?

    The newest version of Spring Security mode introduces a new project for the Authorization server in the scope of Spring Security:

    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-authorization-server</artifactId>
    <version>0.3.1</version>
</dependency>

    The authorization server from spring implements OAuth2.1 where as you mentioned, both PASSWORD and IMPLICIT grant types were removed comparing it to OAuth 2.0. Gran types supported in OAuth 2.1: 1

    • Authorization code + PKCE
    • client credentials
    • device grant type

    OAuth 2.1 provide authorization code + PKCE grant type but it's a little bit different from the previous.

    "The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret. (...) In place of the client_secret, the client app creates a unique string value, code_verifier, which it hashes and encodes as a code_challenge. When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge."

    2

    That type of grant type is recommended for SPA application so if you want to use the newest version of spring security you need to use it, because e.g. client credentials are reserved for machine-to-machine communication when one service needs to communicate with another service without of user's knowledge.

    1. If I use PKCE then I do not need users to provide passwords while registering, is that correct? Users need to authenticate themselves and that's a part of this grant-type flow.

    Storing only username/email should suffice because users just need to pass client ID and code_challenge to get an authorization code? ClientID and generated code_challenge (should be generated by the client) is something that identifies the client not the resource owner, so user while authorized shouldn't provide this type of info.