What is the resource server?
The resource server is the OAuth 2.0 term for your API server. For example, In your company, you might have servers such as user details server, invoices server, and order server. These servers implement the use cases of your business.
These resource servers can be secured using AWS Cognito.
- First, the application obtains the access token from Cognito
- Then, the token will be included in the request header.
- Finally, you can call the resource server
 |
| Access server-side resources |
How to implement it?
You can use Spring boot to develop resource servers.
Dependencies
- Spring boot: 2.4.0-M1
- OpenJDK 11
Step 1
Add spring-security-oauth2-resource-server as a dependency and set jwk-set-uri and issuer-uri to your properties file.
Get jwk-set-uri and issuer-uri values from AWS Cognito Console. Get the user pool id from the user pool and construct the URLs using that values and the region.
 |
| User pool |
Step 2
Configure Spring security.
"/status" route has no security restrictions, but other routes are secured.
Step 3
Enable Cognito groups in Spring, so you can add restrictions based on the user role/group. To do this, we need to add a JwtDecoder and a Converter.
JwtDecoder can be used to Configure the validations (Validating token window).
The converter is used to add cognito:groups as authorities to the set of claims.
Now you can restrict access to your routes with @PreAuthorize annotation. I have ROLE_USER, ROLE_ROASTER, and ROLE_ADMIN groups in my AWS Cognito.
Final Step
The final step is to add resource servers to the Cognito. In this step, you have to add the URL of your API to Cogito.
 |
| Define resource servers |
Full project: https://github.com/h-hub/cognito_spring_resource_server
Update 1: 2020/02/01 bug fixes. check Github.
How to test: Send the token in the header as Bearer token. Check the below example.
curl -X GET "http://localhost:89/status" -H "accept: application/json" -H "Authorization: Bearer <access_token>"
The token is included in the header. Notice the "Beare"+WHITWSPACE in the header.
When testing the application, use these VM arguments.
-DISSURI=https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxxxxxxxxxx
-DJWKSETURI=https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxxxxxxx/.well-known/jwks.json
References
- https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-security
- https://www.oauth.com/oauth2-servers/the-resource-server/
- https://docs.spring.io/spring-security/site/docs/5.4.0-M1/reference/html5/#oauth2resourceserver-jwt-decoder-builder
- https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-resource-servers.html
- https://docs.aws.amazon.com/cognito/latest/developerguide/scenario-backend.html
- https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html
- https://medium.com/@arjunsk/resource-server-with-cognito-b7fbfbee0155
- https://www.oauth.com/oauth2-servers/differences-between-oauth-1-2/bearer-tokens/
Comments
Post a Comment