Spring Security OAuth2 Authorization Code Flow with PKCE + OpenID Connect 🚀

Project Description

Flow Image Source: Auth0 Documentation

This project demonstrates the use of OAuth2 Authorization Code Flow with PKCE (Proof Key for Code Exchange) using Spring Security. The example shows how an authorization server generates an authorization code and exchanges it for an access token. 🎯

Steps:

1. Run the application 🏃‍♂️
2. Generate code_verifier and code_challenge 🔑
3. Simulate authorization 🔐
4. Exchange Authorization Code for Access Token 💼

---

Step 1: Running the application

Prerequisites:

• Docker 🐳
• Docker Compose 🔧
• Java 21 ☕
• Maven 📦

1. Run docker-compose to start the server (if using containers for database or other services).

docker-compose up

2. Start the Spring Boot application.

Build and run the Spring Boot application:

mvn clean spring-boot:run

Once the application starts, the generated code_verifier and code_challenge values will appear in the console, which will be needed in the next steps. ✅

---

Step 2: Generating code_verifier and code_challenge

Note: This is a simulation of the client. Normally, these values should be generated by the actual client itself, not by the authorization server. 🧑‍💻

After the application starts, you will see the following output in the console:

Code Verifier: PcS1UwuRAvDjGT1MCvQsYA27JHWam_WNQ1rjT4C6SIk

Link: http://localhost:8080/oauth2/authorize?response_type=code&client_id=client&scope=openid&redirect_uri=https://www.manning.com/authorized&code_challenge=3hRMSihmV7Xv9KncxXYe-uqN75AR1IuUbEn6NQKq_3M&code_challenge_method=S256

Code Challenge: 3hRMSihmV7Xv9KncxXYe-uqN75AR1IuUbEn6NQKq_3M

The values Code Verifier and Code Challenge will be required for the next steps. 📜

• Code Verifier is a randomly generated string.
• Code Challenge is a shortened string (S256), derived from the Code Verifier.

---

Step 3: Simulating Authorization

Note: This is a simulation of the client trying to access the resource. Normally, a real user would want to access this link. 🧑‍💻

1. Open your browser and paste the generated link:

http://localhost:8080/oauth2/authorize?response_type=code&client_id=client&scope=openid&redirect_uri=https://www.manning.com/authorized&code_challenge=3hRMSihmV7Xv9KncxXYe-uqN75AR1IuUbEn6NQKq_3M&code_challenge_method=S256

2. You will be redirected to the login page (simulating the authorization process). Login Using following credentials: john 12345📝
3. After logging in, you will be redirected with the authorization code in the URL:

https://www.manning.com/authorized?code=a8yFcBug4Nktrmg8squEAoHwa3a2zVO9YqGVPfo-lEdtJjIEr9MWUYSDUHfLyGt3ScS8ky3x_y1IF5veKsqx_VERM6K2sSJbaqBYb0Kii70pa42nEjwezud_6y-YMlHS

Copy the authorization code (in this case, a8yFcBug4Nktrmg8squEAoHwa3a2zVO9YqGVPfo-lEdtJjIEr9MWUYSDUHfLyGt3ScS8ky3x_y1IF5veKsqx_VERM6K2sSJbaqBYb0Kii70pa42nEjwezud_6y-YMlHS). 🔑

---

Step 4: Exchange Authorization Code for Access Token

1. After obtaining the code from the URL, you can now exchange it for an Access Token with the following cURL request. 🔄

Replace the code value with the authorization code you received, and the code_verifier with the code_verifier generated by the application earlier.

curl -X POST "http://localhost:8080/oauth2/token" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic Y2xpZW50OnNlY3JldA==" -d "grant_type=authorization_code" -d "code=a8yFcBug4Nktrmg8squEAoHwa3a2zVO9YqGVPfo-lEdtJjIEr9MWUYSDUHfLyGt3ScS8ky3x_y1IF5veKsqx_VERM6K2sSJbaqBYb0Kii70pa42nEjwezud_6y-YMlHS" -d "redirect_uri=https://www.manning.com/authorized" -d "code_verifier=PcS1UwuRAvDjGT1MCvQsYA27JHWam_WNQ1rjT4C6SIk"

What happens in this request?

• Authorization: This is Basic Authentication, where client:secret is base64 encoded as Y2xpZW50OnNlY3JldA==.
• grant_type=authorization_code: This indicates we are using the Authorization Code Flow.
• code: The value of the authorization code obtained in the previous step.
• code_verifier: This is the code_verifier that was generated by the application earlier (it must be exactly the same as the one used in the code_challenge). 🎟️

After sending this request, you will receive a response containing the access token (Access Token), which can be used to authorize requests to protected resources. ✅

Using Postman:

You can also perform this exchange using Postman. Here’s how to do it:

Basic Auth Configuration:

1. Choose Basic Auth as the authentication method.

2. Enter the Client ID and Client Secret (in your case, it's client:secret).

   Note: Since you have a hardcoded client (with a specific client ID and secret), enter those values in the Basic Auth section as shown in the screen.

Here’s a screenshot of what the Postman Authorization section should look like:

Setting Request Body:

1. Go to the Body tab of your Postman request.
2. Choose x-www-form-urlencoded as the body type.
3. Now, add the following parameters:
   • grant_type: authorization_code
   • code: The authorization code obtained in the previous step.
   • redirect_uri: The same redirect URI used in the authorization request (https://www.manning.com/authorized).
   • code_verifier: The code_verifier that was generated by the application earlier. (This must match the one used in the code_challenge.)

Here’s a screenshot of what the Postman Body section should look like:

---

Summary

After completing this process, you have a working OAuth2 Authorization Code Flow with PKCE implementation. This process allows you to obtain an access token to access protected resources on the authorization server. 🛠️