Creating OAuth 2.0 Login Provider with Spring Boot

Question

These resources describe how to use various OAuth 2.0 and OIDC 1.0 authentication providers as part of the loging the user in in the authorization code grant flow with Spring Boot 2.

How would one create and quickly stand up such an OAuth 2 compliant authentication provider from scratch in Spring Boot itself instead of using Okta, Google, GitHub or Login with Amazon (LWA)?

My use case is an Alexa skill as an OAuth 2.0 client that is configured via its account linking feature (through LWA) to return an (non-OID) OAuth token as part of its authorization code flow which then gets propagated into my web service via a registered Alexa's webhook URL.

From my research, CloudFoundry User Account and Authentication (UAA) Server project seems to be fitting for a such a scenario, however I'm not too sure if it's the simplest choice.

Ultimately, I'm looking for a way to override the authorization token that is returned to the Alexa OAuth client app with a custom-made token which I can somehow inject during the token generation process. What are the classes in OAuth spring security side that are responsible for token generation and is there a way to hook up my own generation strategy there to override the default? Are there any working code samples someone can refer me to?

Answer 1

As I understand your question, you are looking for a possibility to grant authorization tokens on your own, based on a third-party authorization token.

For this purpose I would recommend a custom spring-security Authorization Server. This server is capable of generating OAuth tokens on its own. Maybe it is possible - with the help of some configuration - to configure the custom Authorization Server so that it will rely on the third-party authorization tokens. This guide should help you out.

You can find the spring-security Authorization Server documentation here.

Another solution would be to use a Keycloak identity provider. It is also capable of so called identity brokering, meaning relying on third party tokens and granting own tokens based on it. Keycloak is also able of authorization.