How to Secure REST Endpoint Using Spring Boot and OAuth2

Sharing is caring!


In this article, I will provide a simple example to secure REST example by using Oauth2. I will not explain what Oauth2 protocol is all about in detail. In short, to implement this authorization framework, we need:

  • Authorization Server
  • Resource Server
  • Client
  • Resource Owner

I found this link is one of the best explanation regarding OAuth2 framework.

Use Case

I will create a simple OAuth2 authorization framework using spring-boot 2.1.x. The authorization server will have two scopes, which are READ and WRITE. It has 4 grant types, but for the rest I just use two types, which are PASSWORD and REFRESH TOKEN. And for the token itself, I will use JWT token.

All the source code are available in my github repository.

Step 1: Authorization Server


Step 2: Resource Server

In this resoruce server, I created two parts. One part is for resource server configuration, another part is for creating REST endpoint.



Run It

Retrieve Access Token

Make a POST request into url /oauth/token with Basic Authorization. Fill username with your CLIENT name and password with your SECRET value. Those values are configured in The content-type must be application/x-www-form-urlencoded.

Setting HTTP Basic Auth
Grant type, username and password

Request to Resource Server

All the requests to resource server require parameter access_token as part of the request.

Accessing insecure URL without any authorization.
Access endpoint for user who has role USER and scope READ.
Accessing endpoint for user who has role USER and scope TRUST. Since my authorization server does not have TRUST scope, so the request is denied.

Refresh Token

Just like retrieving access token, basic authorization must be set first with client and secret values. Then making a POST request with grant type refresh_token.

Refresh token

That’s All

Short posting for this one. Hope you enjoy it.


Author: ru rocker

I have been a professional software developer since 2004. Java, Python, NodeJS, and Go-lang are my favorite programming languages. I also have an interest in DevOps. I hold professional certifications: SCJP, SCWCD, PSM 1, AWS Solution Architect Associate, and AWS Solution Architect Professional.

4 thoughts on “How to Secure REST Endpoint Using Spring Boot and OAuth2”

  1. Hi
    Thanks for the explanation.
    I am wondering if this is based on new Spring Security 5 / Spring Boot 2.2 or older implementation using Spring Boot 1.5.x
    as security seems to have changed quite a bit in the new spring security

  2. I was wondering – do people typically secure the auth-server using SSL/TLS? I am trying to secure the auth-server from your example using a self-signed cert, but I can’t seem to get a token. I’m using Postman to call it, but it looks like it doesn’t get a response. Do you have an example that uses SSL/TLS?

    1. Yes, you should use SSL/TLS for auth-server. Usually, my approach is to put Nginx as a proxy server and configure the TLS there. Unfortunately, I do not have any example for TLS./SSL.

      Anyway, maybe you can use curl with –insecure flag first to bypass the request if you are using untrusted certificate.

      Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *