I am trying to configure my resource server and my authentication server, but i want also let my users to login with third providers, like Google and Github.
The communication and token decoding works fine with my resource server and my own authentication server. But the problem is that my resource server is unable to accept and authorize the tokens from Google and Github, I'm very confused on how to design and configure this, I know that the resource server is responsible for decoding the tokens and defining their validity, but I have no idea how to make the resource server validate the tokens issued by Google and Github.
Currently my resource server is configured to decode the tokens coming from my authentication server using a local public key and the issuer domain of my authentication server, however I need to configure the google and github issuers as well, but I don't know how.
I would be very grateful for any sources, examples or supporting materials that I could see to better understand how I should start doing the process.
Along with this, I will make the code I currently have available, although it does almost nothing very different.
This is my resource server properties configuration:
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=http://127.0.0.1:8081/oauth2/introspect
spring.security.oauth2.resourceserver.jwt.public-key-location=classpath:keys/receba-pkey.pem
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://127.0.0.1:8081
And this is my resouce server configuration class:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class ResourceServerConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/user/register", "/h2-console/**", "/actuator/health").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable()
.cors().disable()
.oauth2ResourceServer(resourceServer -> {
resourceServer.jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
}).oauth2Login();
return http.formLogin(Customizer.withDefaults()).build();
}
public JwtAuthenticationConverter jwtAuthenticationConverter() {
var converter = new JwtAuthenticationConverter();
converter.setJwtGrantedAuthoritiesConverter((jwt) -> {
var authorities = jwt.getClaimAsStringList("authorities");
if (isNull(authorities)) {
return Collections.emptyList();
}
var jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
var grantedAuthorities = jwtGrantedAuthoritiesConverter.convert(jwt);
var grantedUserAuthorities = authorities.stream().map(SimpleGrantedAuthority::new).toList();
grantedAuthorities.addAll(grantedUserAuthorities);
return grantedAuthorities;
});
return converter;
}
}
The authentication server doen't have anything special too.
I already found this page in the Spring documentation, but I couldn't understand how to configure it and if it is valid for me (If this is the thing I need to do).
OAuth 2.0 Resource Server Multi-tenancy
I would appreciate it if someone could provide an example that would work with my authentication server and third-party authentication servers