How to secure communication between 2 Spring Boot microservices using OAuth2?

Overview

You will need client credential grant type flow to communicate between apps. Spring has built in support for well known providers like facebook, google and so on. In our case we provide our own authorization server.

Note - Client credential doesn't return a refresh token as per spec - so make sure you ask for new access token when the current access token is expired.

Client

application properties

security.basic.enabled=false

server.port=8082

spring.security.oauth2.client.registration.server.client-id=first-client
spring.security.oauth2.client.registration.server.client-secret=noonewilleverguess

spring.security.oauth2.client.registration.server.client-authentication-method=basic
spring.security.oauth2.client.registration.server.authorization-grant-type=client_credentials
spring.security.oauth2.client.registration.server.scope=read

spring.security.oauth2.client.provider.server.token-uri=http://server:8080/oauth/token

main class

@SpringBootApplication
public class App {

    public static void main(String[] args) {
        SpringApplication.run(App.class, args);
    }

    @Bean
    RestTemplate restTemplate(RestTemplateBuilder builder) {
        return builder.build();
    }
}

credential client grant flow configuration

@Configuration
public class OauthClientCredentialConfig {
    @Bean
    public OAuth2AuthorizedClientManager authorizedClientManager(ClientRegistrationRepository clientRegistrationRepository) {
            OAuth2AuthorizedClientService service =
                    new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);
            AuthorizedClientServiceOAuth2AuthorizedClientManager authorizedClientManager =
                    new AuthorizedClientServiceOAuth2AuthorizedClientManager(clientRegistrationRepository, service);
            OAuth2AuthorizedClientProvider authorizedClientProvider =
                    OAuth2AuthorizedClientProviderBuilder.builder()
                            .clientCredentials()
                            .build();
            authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
            return authorizedClientManager;
    }
}

pom dependencies

<dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

rest client

@Getter
@RequiredArgsConstructor
@Slf4j
@Component
public class ApiClient {

    private static final String AUTHORIZATION_HEADER = "Authorization";
    private final RestTemplate restTemplate;
    private final OAuth2AuthorizedClientManager authorizedClientManager;

    public String invokeApi(String path) {
        UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl("http://server:8080").path(path);

        RequestEntity.BodyBuilder requestBuilder =
                RequestEntity.method(HttpMethod.GET, builder.build().toUri());

        requestBuilder.contentType(MediaType.APPLICATION_JSON);

        Authentication principal = SecurityContextHolder.getContext().getAuthentication();

        OAuth2AuthorizeRequest oAuth2AuthorizeRequest =
            OAuth2AuthorizeRequest.withClientRegistrationId("server")
                .principal(principal.getName())
                .build();

        requestBuilder.header(AUTHORIZATION_HEADER, "Bearer " + authorizedClientManager.authorize(oAuth2AuthorizeRequest).getAccessToken().getTokenValue());

        RequestEntity<Object> requestEntity = requestBuilder.body(null);

        return restTemplate.exchange(requestEntity, String.class).getBody();
    }
}

Authorization and Resource Server

Note for authorization and resource server we are using legacy version as there is no support to create authorization server in new spring security oauth2 module.

Configuration

@EnableWebSecurity
public class Security extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .antMatchers("/oauth/token")
                .and()
                .authorizeRequests()
                .anyRequest().authenticated();
    }

}

@EnableAuthorizationServer
@EnableResourceServer
@SpringBootApplication
public class App {

    public static void main(String[] args) {
        SpringApplication.run(App.class, args);
    }

}

Auth Server Config

@Import(AuthorizationServerEndpointsConfiguration.class)
@Configuration
@Order(2)
@RequiredArgsConstructor
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {

    private final TokenStore tokenStore;

    private final AccessTokenConverter accessTokenConverter;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
            .inMemory()
                .withClient("first-client")
                .secret(passwordEncoder().encode("noonewilleverguess"))
                .scopes("read")
                .authorizedGrantTypes("client_credentials")
                .scopes("resource-server-read", "resource-server-write");
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints
            .accessTokenConverter(accessTokenConverter)
            .tokenStore(tokenStore);
    }

}

Jwt Config

@Configuration
public class JwtTokenConfig {
    @Bean
    public KeyPair keyPair() throws NoSuchAlgorithmException {
        KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
        gen.initialize(2048);
        KeyPair keyPair = gen.generateKeyPair();
        return keyPair;
    }

    @Bean
    public TokenStore tokenStore() throws NoSuchAlgorithmException {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() throws NoSuchAlgorithmException {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setKeyPair(keyPair());
        return converter;
    }
}

pom

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth2</artifactId>
    <version>2.4.0.RELEASE</version>
</dependency>
<dependency>
     <groupId>org.springframework.security.oauth.boot</groupId>
     <artifactId>spring-security-oauth2-autoconfigure</artifactId>
     <version>2.2.4.RELEASE</version>
</dependency>
<dependency>
     <groupId>org.springframework.security</groupId>
     <artifactId>spring-security-jwt</artifactId>
     <version>1.1.0.RELEASE</version>
</dependency>
<dependency>
     <groupId>com.nimbusds</groupId>
     <artifactId>nimbus-jose-jwt</artifactId>
     <version>8.6</version>
</dependency>

I've added a working example at

https://github.com/saagar2000/oauth2_server

https://github.com/saagar2000/oauth2_client

Response with valid access token

More explanation can be found here

Microservice Architecture

The ideal way or commonly preferred way is the API Gateway Pattern for the microservices however it may change according to the projects and requirements. Let's consider the following components

Config Server: Responsible to manage the configurations for the microservices and we may change the configurations dynamically using spring cloud features with a common bus interface with Kafka or RabbitMQ

API Gateway: This will be the common entry point to manage the REST request for other services. We can manage the requests using a load balancer here. Also, we can serve the UI from the API Gateway.

Authentication Service (UAA): This should be responsible for managing the user management and related activity. This is where you will add @EnableAuthorizationServer and extend AuthorizationServerConfigurerAdapter

 @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        int accessTokenValidity = uaaProperties.getWebClientConfiguration().getAccessTokenValidityInSeconds();
        accessTokenValidity = Math.max(accessTokenValidity, MIN_ACCESS_TOKEN_VALIDITY_SECS);
        int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe();
        refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity);
        /*
        For a better client design, this should be done by a ClientDetailsService (similar to UserDetailsService).
         */
        clients.inMemory()
            .withClient(uaaProperties.getWebClientConfiguration().getClientId())
            .secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
            .scopes("openid")
            .autoApprove(true)
            .authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
            .accessTokenValiditySeconds(accessTokenValidity)
            .refreshTokenValiditySeconds(refreshTokenValidity)
            .and()
            .withClient(applicationProperties.getSecurity().getClientAuthorization().getClientId())
            .secret(passwordEncoder.encode(applicationProperties.getSecurity().getClientAuthorization().getClientSecret()))
            .scopes("web-app")
            .authorities("ROLE_GA")
            .autoApprove(true)
            .authorizedGrantTypes("client_credentials")
            .accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds())
            .refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe());
    }

Service 1, Service 2... This will be the microservice to manage the business logic and requirements which is commonly known as Resource Server which can be configured with ResourceServerConfigurerAdapter

Diagram

Managing Access and Refresh Tokens

As mentioned API Gateway is the common entry point for the requests. We can manage the login/logout API in the API Gateway. When the user performs the log in and we can manage the authorization grant type using authentication service and OAuth2TokenEndpointClient from org.springframework.security.oauth2.common.OAuth2AccessToken using OAuth2AccessToken sendPasswordGrant(String username, String password); and OAuth2AccessToken sendRefreshGrant(String refreshTokenValue); methods.

The authentication service will provide the OAuth2AccessToken based on the configurations and login users. Inside OAuth2AccessToken you will get access_token, refresh_token, OAuth2, expires_in, scope.

At the time of authentication, two JWTs will be created - access token and refresh token. Refresh token will have longer validity. Both the tokens will be written in cookies so that they are sent in every subsequent request.

On every REST API call, the tokens will be retrieved from the HTTP header. If the access token is not expired, check the privileges of the user and allow access accordingly. If the access token is expired but the refresh token is valid, recreate new access token and refresh token with new expiry dates and sent back through Cookies

/**
     * Authenticate the user by username and password.
     *
     * @param request  the request coming from the client.
     * @param response the response going back to the server.
     * @param loginVM   the params holding the username, password and rememberMe.
     * @return the {@link OAuth2AccessToken} as a {@link ResponseEntity}. Will return {@code OK (200)}, if successful.
     * If the UAA cannot authenticate the user, the status code returned by UAA will be returned.
     */
    public ResponseEntity<OAuth2AccessToken> authenticate(HttpServletRequest request, HttpServletResponse response,
                                                          LoginVM loginVM) {
        try {
            String username = loginVM.getUsername();
            String password = loginVM.getPassword();
            boolean rememberMe = loginVM.isRememberMe();
            OAuth2AccessToken accessToken = authorizationClient.sendPasswordGrant(username, password);
            OAuth2Cookies cookies = new OAuth2Cookies();
            cookieHelper.createCookies(request, accessToken, rememberMe, cookies);
            cookies.addCookiesTo(response);
            if (log.isDebugEnabled()) {
                log.debug("successfully authenticated user {}", username);
            }
            return ResponseEntity.ok(accessToken);
        } catch (HttpStatusCodeException in4xx) {
            throw new UAAException(ErrorConstants.BAD_CREDENTIALS);
        }
        catch (ResourceAccessException in5xx) {
            throw new UAAException(ErrorConstants.UAA_APPLICATION_IS_NOT_RESPONDING);
        }
    }

    /**
     * Try to refresh the access token using the refresh token provided as cookie.
     * Note that browsers typically send multiple requests in parallel which means the access token
     * will be expired on multiple threads. We don't want to send multiple requests to UAA though,
     * so we need to cache results for a certain duration and synchronize threads to avoid sending
     * multiple requests in parallel.
     *
     * @param request       the request potentially holding the refresh token.
     * @param response      the response setting the new cookies (if refresh was successful).
     * @param refreshCookie the refresh token cookie. Must not be null.
     * @return the new servlet request containing the updated cookies for relaying downstream.
     */
    public HttpServletRequest refreshToken(HttpServletRequest request, HttpServletResponse response, Cookie
        refreshCookie) {
        //check if non-remember-me session has expired
        if (cookieHelper.isSessionExpired(refreshCookie)) {
            log.info("session has expired due to inactivity");
            logout(request, response);       //logout to clear cookies in browser
            return stripTokens(request);            //don't include cookies downstream
        }
        OAuth2Cookies cookies = getCachedCookies(refreshCookie.getValue());
        synchronized (cookies) {
            //check if we have a result from another thread already
            if (cookies.getAccessTokenCookie() == null) {            //no, we are first!
                //send a refresh_token grant to UAA, getting new tokens
                String refreshCookieValue = OAuth2CookieHelper.getRefreshTokenValue(refreshCookie);
                OAuth2AccessToken accessToken = authorizationClient.sendRefreshGrant(refreshCookieValue);
                boolean rememberMe = OAuth2CookieHelper.isRememberMe(refreshCookie);
                cookieHelper.createCookies(request, accessToken, rememberMe, cookies);
                //add cookies to response to update browser
                cookies.addCookiesTo(response);
            } else {
                log.debug("reusing cached refresh_token grant");
            }
            //replace cookies in original request with new ones
            CookieCollection requestCookies = new CookieCollection(request.getCookies());
            requestCookies.add(cookies.getAccessTokenCookie());
            requestCookies.add(cookies.getRefreshTokenCookie());
            return new CookiesHttpServletRequestWrapper(request, requestCookies.toArray());
        }
    }

Secured Communication between Microservices

We can communicate between the service using the FeignClient and can secure the communication by customizing the configurations. See Class<?>[] configuration() default OAuth2UserClientFeignConfiguration.class;

Here we have enhanced default @FeignClient with AuthorizedUserFeignClient interface which consists of custom configuration as OAuth2UserClientFeignConfiguration which consists of @Bean for UserFeignClientInterceptor which manage the autehication using the headers

AuthorizedUserFeignClient.java

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@Documented
@FeignClient
public @interface AuthorizedUserFeignClient {

    @AliasFor(annotation = FeignClient.class, attribute = "name")
    String name() default "";

    /**
     * A custom {@code @Configuration} for the feign client.
     *
     * Can contain override {@code @Bean} definition for the pieces that make up the client, for instance {@link
     * feign.codec.Decoder}, {@link feign.codec.Encoder}, {@link feign.Contract}.
     *
     * @see FeignClientsConfiguration for the defaults.
     */
    @AliasFor(annotation = FeignClient.class, attribute = "configuration")
    Class<?>[] configuration() default OAuth2UserClientFeignConfiguration.class;

    /**
     * An absolute URL or resolvable hostname (the protocol is optional).
     */
    String url() default "";

    /**
     * Whether 404s should be decoded instead of throwing FeignExceptions.
     */
    boolean decode404() default false;

    /**
     * Fallback class for the specified Feign client interface. The fallback class must implement the interface
     * annotated by this annotation and be a valid Spring bean.
     */
    Class<?> fallback() default void.class;

    /**
     * Path prefix to be used by all method-level mappings. Can be used with or without {@code @RibbonClient}.
     */
    String path() default "";
}

UserFeignClientInterceptor.java

public class UserFeignClientInterceptor implements RequestInterceptor{

    private static final String AUTHORIZATION_HEADER = "Authorization";

    private static final String BEARER_TOKEN_TYPE = "Bearer";

    @Override
    public void apply(RequestTemplate template) {

        SecurityContext securityContext = SecurityContextHolder.getContext();
        Authentication authentication = securityContext.getAuthentication();

        if (authentication != null && authentication.getDetails() instanceof OAuth2AuthenticationDetails) {

            OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails();
            template.header(AUTHORIZATION_HEADER, String.format("%s %s", BEARER_TOKEN_TYPE, details.getTokenValue()));
        }
    }
}

Might be helpful

Architecture Overview

Managing the authentication service

It is necessary differentiate between JWT token based authentication, it seems what you are trying to achieve, and OAuth2 authentication, a more complex subject.

For OAuth2 authentication, Spring framework provides support with the Spring Security OAuth project, but my best advice is that, if you actually need OAuth2 in your project, it is better use a third party OAuth2 provider, like Okta or Auth0, or one of the providers offered in the cloud - for instance, GCP OAuth clients, AWS Cognito, Azure AD applications, etcetera, or a product like Keycloak. All these products will provide you a robust OAuth2 implementation and libraries and mechanisms that will help you to integrate with them.

But it seems for the last paragraphs of your question that what you actually need is authenticate your microservices with JWT tokens.

Let's talk about the server side requirements first.

To accomplish this task, the first thing you need is a service that generates and validates JWT tokens. Maybe something like:

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;

// ...

@Component
public class JWTService {

  // Get itfrom a configuration property, for instance
  @Value("${secretKey}")
  private String secretKey;

  @Value("${tokenValidityInMillis}")
  private Long tokenValidityInMillis;

  public String createToken(Authentication authentication) {
    long now = (new Date()).getTime();
    Date validity = new Date(now + this.tokenValidityInMillis);

    // Modify it as per your needs, defining claims, etcetera. For instance
    String authorities = authentication.getAuthorities().stream()
      .map(GrantedAuthority::getAuthority)
      .collect(Collectors.joining(","));

    return Jwts.builder()
      .setSubject(authentication.getName())
      .claim("authorities", authorities)
      // The signature algorithm you consider appropriate
      .signWith(SignatureAlgorithm.HS256, secretKey) 
      .setExpiration(validity)
      .compact();
  }

  public Authentication getAuthentication(String token) {
    try {
      Claims claims = Jwts.parser()
        .setSigningKey(secretKey)
        .parseClaimsJws(token)
        .getBody();

      // Get the authorities back
      Collection<? extends GrantedAuthority> authorities =
        Arrays.stream(claims.get("authorities").toString().split(","))
          .map(SimpleGrantedAuthority::new)
          .collect(Collectors.toList());

      User principal = new User(claims.getSubject(), "", authorities);

      return new PreAuthenticatedAuthenticationToken(principal, token, authorities);
    } catch (Exception e) {
      // Handle exceptions (expiration, invalid signature, etcetera)  as you wish
    }
    return null;
  }
}

You have several libraries for handling the actual JWT token stuff. The example is using jjwt.

Then, define a Controller that swap the provided credentials for an access token:

import org.springframework.security.authentication.AuthenticationManager;

//...

@RestController
public class AuthController {

  private final JWTService jwtService;

  private final AuthenticationManager authenticationManager;

  public AuthRestController(final JWTService jwtService, final AuthenticationManager authenticationManager) {
    this.jwtService = jwtService;
    this.authenticationManager = authenticationManager;
  }

  @PostMapping("/access-token")
  public ResponseEntity<JWTToken> swapAccessToken(@RequestBody LoginDTO loginDTO) {
    // Note we are passing a JSON object with two fields, username and password,
    // not actual HTTP parameters. Modify it according to your needs
    UsernamePasswordAuthenticationToken authenticationToken =
      new UsernamePasswordAuthenticationToken(loginDTO.getUsername(), loginDTO.getPassword());

    Authentication authentication = authenticationManager.authenticate(authenticationToken);
    String jwt = jwtService.createToken(authentication);
    return new ResponseEntity.ok(new JWTToken(jwt));
  }
}  

Where LoginDTO is a simple POJO for storing the username and password:

public class LoginDTO {

  private String username;

  private String password;

  // Getters and setters omitted for brevity
}

And JWTToken is just a convenient way to return the generated token as JSON instead of plain text:

public class JWTToken {

  private String idToken;

  JWTToken(String idToken) {
    this.idToken = idToken;
  }

  @JsonProperty("id_token")
  String getIdToken() {
    return idToken;
  }
}

The next thing you need is some mechanism that will validate the tokens when necessary. I think the best way you can achieve this is implementing a custom filter that performs the user authentication by inspecting the JWT token. For example:

public class JWTFilter extends GenericFilterBean {

  private final JWTService jwtService;

  public JWTFilter(final JWTService jwtService) {
    this.jwtService = jwtService;
  }

  @Override
  public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
    throws IOException, ServletException {
    HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
    String jwt = getTokenFromHttpRequest(httpServletRequest);
    if (jwt != null) {
      // We have a token, perform actual authentication
      Authentication authentication = this.jwtService.getAuthentication(jwt);
      // If success
      if (authentication != null) {
        SecurityContextHolder.getContext().setAuthentication(authentication);
      }
    }

    // Unsuccesful authentication, let the spring security chain continue and fail if necessary
    filterChain.doFilter(servletRequest, servletResponse);
  }

  // Look for token in an Authorization Bearer header
  private String getTokenFromHttpRequest(HttpServletRequest request){
    String bearerToken = request.getHeader("Authorization");
    if (bearerToken != null && bearerToken.startsWith("Bearer")) {
      return bearerToken.substring(7, bearerToken.length());
    }
    return null;
  }
}

All this components must be configured for the Spring Security. It probably need to be further adapted, but please, get the idea:

@Configuration
@RequiredArgsConstructor
public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
    private final DemoApiConfiguration apiConfig;

    private final JWTService jwtService;

    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      // Probably you need to handle more stuff like configuring exception 
      // handling endpoints for access denied, stateless sessions, CORS, think about it...
      http
        .csrf().disable()
        .authorizeRequests()
          // Allow to swap the credentials for access token
          .antMatchers("/access-token").permitAll()
          // Require authentication for the rest of your API
          .anyRequest().authenticated();

      // Include your filter somewhere the Spring Security filter chain
      final JWTFilter jwtFilter = new JWTFilter(jwtService);
      http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);    
    }

    // This is an important step: as we are providing both username an
    // password and preauthenticated credentials, so we need to configure
    // AuthenticationManager that actually supports both authentication types
    // It will use your userDetailsService for validating 
    // the original provided credentials
    @Bean
    @Override
    public AuthenticationManager authenticationManager() {
      // Username and password validation
      DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
      daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
      daoAuthenticationProvider.setUserDetailsService(userDetailsService());
      PreAuthenticatedAuthenticationProvider preAuthProvider = new PreAuthenticatedAuthenticationProvider();
      preAuthProvider.setPreAuthenticatedUserDetailsService(new UserDetailsByNameServiceWrapper<>(userDetailsService()));
      return new ProviderManager(Arrays.<AuthenticationProvider> asList(daoAuthenticationProvider, preAuthProvider));
    }

    @Bean
    public UserDetailsService userDetailsService() {
        if (userDetailsService == null) {
          userDetailsService = this.initUserDetailsService(passwordEncoder());
        }

        return userDetailsService;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    private UserDetailsService initUserDetailsService(PasswordEncoder passwordEncoder) {
        UserDetails theUser = User.withUsername(apiConfig.getUsername())
                .password(passwordEncoder.encode(apiConfig.getPassword())).roles("USER").build();

        InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
        userDetailsManager.createUser(theUser);

        return userDetailsManager;
    }
}

Your client microservice only need to swap the configured credentials for an access token, and use the returned JWT as the value of a Bearer HTTP Authorization header when you invoke a protected endpoint. It should be straightforward but let me know if you need further help on this.